diff --git a/doc/AboutRuleCreation-English.md b/doc/AboutRuleCreation-English.md
index a6e46bdd..754aca09 100644
--- a/doc/AboutRuleCreation-English.md
+++ b/doc/AboutRuleCreation-English.md
@@ -26,7 +26,7 @@ updated_date: 2020/11/8
* description [optional]: A description of the rule. This does not get displayed so you can make this long.
* author [optional]: The name of the person or persons who created the logic for the rule.
* detection [required]: The detection logic goes here.
-* falsepositives [optional]: The possibilities for false positives. For example: unknown、system administrator、normal user usage、normal system usage、legacy application、security team. If it is unknown, write "unknown".
+* falsepositives [optional]: The possibilities for false positives. For example: `system administrator`, `normal user usage`, `normal system usage`, `legacy application`, `security team`. If it is unknown, write `unknown`.
* level [optional]: Risk level. Please write one of the following: `info`,`low`,`medium`,`high`,`critical`
* output [required]: The details of the alert. (Please output any and only useful fields in the Windows event log for easy analysis.)
* creation_date [optional]: The creation date.
@@ -219,7 +219,7 @@ The following wildcards can be used.
* `? `: Matches any single character. (Internally converted to the regular expression `. `.)
When wildcards are used, they will be interpreted according to the following rules.
-* Wildcards (`*` and `? `) can be escaped by using a backslash (`/`).
+* Wildcards (`*` and `?`) can be escaped by using a backslash (`/`).
* If you want to use a backslash right before a wildcard then write `\\*` or `\\?`.
* No escaping is required if you are using backslashes by themselves.
@@ -317,8 +317,8 @@ In addition, the following can be specified for the above operator:
* `<=`: If the value is less than or equal to the specified value, the condition is considered to have been met.
* `<`: If the value is less than the specified value, it will be treated as if the condition is met.
-# output notation
-You can specify the message that will be outputted when the detection condition is met.
+# Alert details
+You can specify the message (alert details) that will be outputted when the detection condition is met.
In addition to outputting a fixed string, it is also possible to display the value in the event log by enclosing the eventkey in a `%`.
In the example below, the eventkey value ScriptBlockText is used in the message when a detection is made.
diff --git a/rules/alert-rules/hayabusa/BitsClientOperational/59_T1197_BitsJobCreation.yaml b/rules/alert-rules/hayabusa/BitsClientOperational/59_T1197_BitsJobCreation.yaml
deleted file mode 100644
index 2ded00a4..00000000
--- a/rules/alert-rules/hayabusa/BitsClientOperational/59_T1197_BitsJobCreation.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-title: Bits Job Creation
-title_jp: Bits Jobの作成
-description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
-description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
-author: James Takai, itiB
-contributor: Zach Mathis
-mitre_attack: T1197
-level: medium
-detection:
- selection:
- Channel: Microsoft-Windows-Bits-Client/Operational
- EventID: 59
-falsepositives:
- - normal system usage
-output: 'Job Title:%JobTitle% : URL:%Url%'
-output_jp: 'Job名:%JobTitle% : URL:%Url%'
-creation_date: 2021/07/15
-updated_date: 2021/11/18
diff --git a/rules/alert-rules/hayabusa/Security/4673.yml b/rules/alert-rules/hayabusa/Security/4673.yml
deleted file mode 100644
index 5f945934..00000000
--- a/rules/alert-rules/hayabusa/Security/4673.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-title: Sensitive Privilede Use (Mimikatz)
-description: hogehoge
-author: Eric Conrad, Zach Mathis
-level: medium
-detection:
- selection:
- Channel: Security
- EventID: 4673
- # condition: selection | count(EventID) > 4
-falsepositives:
- - unknown
-output: |
- Sensitive Privilege Use Exceeds Threshold
- Potentially indicative of Mimikatz, multiple sensitive priviledge calls have been made.
- UserName:%SubjectUserName% Domain Name:%DomainName%
-creation_date: 2020/11/8
-updated_date: 2020/11/8
-comments:
\ No newline at end of file
diff --git a/rules/alert-rules/hayabusa/Security/4674.yml b/rules/alert-rules/hayabusa/Security/4674.yml
deleted file mode 100644
index 58b68ffc..00000000
--- a/rules/alert-rules/hayabusa/Security/4674.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-title: An operation was attempted on a privileged object
-description: hogehoge
-author: Eric Conrad, Zach Mathis
-level: informational
-detection:
- selection:
- Channel: Security
- EventID: 4674
- ProcessName|re: '(?i)C:\WINDOWS\SYSTEM32\SERVICE.EXE' # (?i) means case insesitive for Rust Regex
- AccessMask: '%%1539'
- # condition: selection
-falsepositives:
- - unknown
-output: |
- Possible Hidden Service Attempt
- User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.
- User: %SubjectUserName%
- Target service:%ObjectName
- Desired Access:WRITE_DAC
-creation_date: 2020/11/8
-updated_date: 2020/11/8
diff --git a/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalComputerAccountCreated.yml b/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalComputerAccountCreated.yml
deleted file mode 100644
index 6aa71f27..00000000
--- a/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalComputerAccountCreated.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-title: Hidden computer account created! (Possible Backdoor)
-description: A local user account was created
-author: Eric Conrad, Zach Mathis
-level: high
-detection:
- selection:
- Channel: Security
- EventID: 4720
- TargetUserName|endswith: "$"
-
-falsepositives:
- - unknown
-output: 'User: %TargetUserName% : SID:%TargetSid%'
-creation_date: 2020/11/8
-updated_date: 2021/11/18
diff --git a/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalUserAccountCreated.yml b/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalUserAccountCreated.yml
deleted file mode 100644
index 3c5aac23..00000000
--- a/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalUserAccountCreated.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-title: User account created
-description: A local user account was created
-author: Eric Conrad, Zach Mathis
-level: low
-detection:
- selection:
- Channel: Security
- EventID: 4720
- filter:
- TargetUserName|endswith: "$"
- condition: selection and not filter
-falsepositives:
- - unknown
-output: 'User: %TargetUserName% : SID:%TargetSid%'
-creation_date: 2020/11/8
-updated_date: 2021/11/18
diff --git a/rules/alert-rules/hayabusa/Security/4728.yml b/rules/alert-rules/hayabusa/Security/4728.yml
deleted file mode 100644
index 2be29502..00000000
--- a/rules/alert-rules/hayabusa/Security/4728.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-title: User added to local Administrators group
-description: A user was added to a group.
-author: Eric Conrad, Zach Mathis
-level: high
-detection:
- selection:
- Channel: Security
- EventID: 4728
- TargetUserName: Administrators
- # condition: selection
-falsepositives:
- - unknown
-output: 'User: %MemberName% : SID: %MemberSid%'
-creation_date: 2020/11/8
-updated_date: 2021/11/18
diff --git a/rules/alert-rules/hayabusa/Security/4756.yml b/rules/alert-rules/hayabusa/Security/4756.yml
deleted file mode 100644
index e04c6376..00000000
--- a/rules/alert-rules/hayabusa/Security/4756.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-title: User added to Administrators universal group.
-description: hogehoge
-author: Eric Conrad, Zach Mathis
-level: high
-detection:
- selection:
- Channel: Security
- EventID: 4756
- TargetUserName: Administrators
- # condition: selection
-falsepositives:
- - unknown
-output: 'UserName: %MemberName% : SID: %MemberSid%'
-creation_date: 2020/11/8
-updated_date: 2021/11/8
diff --git a/rules/alert-rules/hayabusa/Security/_4625.yml b/rules/alert-rules/hayabusa/Security/_4625.yml
deleted file mode 100644
index e0600ef1..00000000
--- a/rules/alert-rules/hayabusa/Security/_4625.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-title: An account failed to log on
-description: Logon Failure
-ignore: true
-author: Eric Conrad, Zach Mathis
-detection:
- selection:
- Channel: Security
- EventID: 4625
- # condition: selection | count(TargetUserName) > 3
-falsepositives:
- - unknown
-output: 'High number of logon failures for one account UserName:%event_data.SubjectUserName% Total logon faiures:%count%'
-creation_date: 2020/11/8
-updated_date: 2020/11/8
diff --git a/rules/alert-rules/hayabusa/Security/_4648.yml b/rules/alert-rules/hayabusa/Security/_4648.yml
deleted file mode 100644
index ad71e9b4..00000000
--- a/rules/alert-rules/hayabusa/Security/_4648.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-title: An account failed to log on
-description: hogehoge
-ignore: true
-author: Eric Conrad, Zach Mathis
-detection:
- selection:
- Channel: Security
- EventID: 4648
- # condition: selection | count(TargetUserName) > 3
-falsepositives:
- - unknown
-output: 'Distributed Account Explicit Credential Use (Password Spray Attack)¥n The use of multiple user account access attempts with explicit credentials is ¥nan indicator of a password spray attack.¥nTarget Usernames:%TargetUserName$¥nAccessing Username: %SubjectUserName%¥nAccessing Host Name: %SubjectDomainName%'
-creation_date: 2020/11/8
-updated_date: 2020/11/8
diff --git a/rules/alert-rules/hayabusa/Security/_4672.yml b/rules/alert-rules/hayabusa/Security/_4672.yml
deleted file mode 100644
index 81a2c7cc..00000000
--- a/rules/alert-rules/hayabusa/Security/_4672.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-title: Command Line Logging
-description: Command Line Logging
-ignore: true
-author: Eric Conrad, Zach Mathis
-detection:
- selection:
- Channel: Security
- EventID: 4672
- PrivilegeList|contains: SeDebugPrivilege
- # condition: selection
-falsepositives:
- - unknown
-output: 'CommandLine:%CommandLine% : ParentProcessName:%ParentProcessName%'
-creation_date: 2020/11/8
-updated_date: 2020/11/8
diff --git a/rules/alert-rules/hayabusa/Sysmon/1.yml b/rules/alert-rules/hayabusa/Sysmon/1.yml
deleted file mode 100644
index 08c4ca47..00000000
--- a/rules/alert-rules/hayabusa/Sysmon/1.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-title: Command line execution
-description: Command line execution
-author: Eric Conrad, Zach Mathis
-detection:
- selection:
- Channel: Sysmon
- EventID: 1
- CommandLine|re: '.+'
- # condition: selection
-falsepositives:
- - unknown
-output: 'CommandLine: %CommandLine% : ParentImage:%ParentImage%'
-creation_date: 2020/11/8
-uodated_date: 2021/11/8
-
diff --git a/rules/alert-rules/hayabusa/Sysmon/7.yml b/rules/alert-rules/hayabusa/Sysmon/7.yml
deleted file mode 100644
index cc9e497f..00000000
--- a/rules/alert-rules/hayabusa/Sysmon/7.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-title: Unsigned EXEs/DLLs
-description: Detects usage of unsigned exe and dlls.
-author: Eric Conrad, Zach Mathis
-detection:
- selection:
- Channel: Sysmon
- EventID: 7
- Signed: "false" # Compare by string
- # condition: selection
-falsepositives:
- - unknown
-output: 'Unsigned Image(DLL): %event_data.Image : Command: %event_data.ImageLoaded%'
-creation_date: 2020/11/8
-uodated_date: 2021/11/8
diff --git a/rules/alert-rules/hayabusa/System/7030.yml b/rules/alert-rules/hayabusa/System/7030.yml
deleted file mode 100644
index 5b1c1e7f..00000000
--- a/rules/alert-rules/hayabusa/System/7030.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-title: Interactive service may not function properly
-description: Uses a blocklist of suspicious services to detect malware. 7030 happens when a service is marked as an interactive service but the system is not configured to allow interactive services so it might not function properly.
-author: Eric Conrad, Zach Mathis
-level: low
-detection:
- selection:
- Channel: System
- EventID: 7030
- param1:
- regexes: ./config/regex/regexes_suspicous_service.txt
- # condition: selection
-falsepositives:
- - unknown
-output: 'Service: %ServiceName%'
-creation_date: 2020/11/8
-uodated_date: 2020/11/8
diff --git a/rules/alert-rules/hayabusa/System/7040.yml b/rules/alert-rules/hayabusa/System/7040.yml
deleted file mode 100644
index 3ac40691..00000000
--- a/rules/alert-rules/hayabusa/System/7040.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-title: Windows Event Log service start type changed from auto start to disabled
-description: Possible anti-forensics disabling the log service.
-author: Eric Conrad, Zach Mathis
-level: high
-detection:
- selection:
- Channel: System
- EventID: 7040
- param1: 'Windows Event Log'
- param2:
- - "disabled"
- - "auto start"
- condition: selection
-falsepositives:
- - unknown
-output: 'Service: %param1%'
-creation_date: 2020/11/8
-uodated_date: 2021/11/8
diff --git a/rules/alert-rules/hayabusa/System/7045.yml b/rules/alert-rules/hayabusa/System/7045.yml
deleted file mode 100644
index 5c2e6e9f..00000000
--- a/rules/alert-rules/hayabusa/System/7045.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-title: Service installed
-description: A service was installed. Malware often will install itself as malware.
-author: Eric Conrad, Zach Mathis
-level: low
-detection:
- selection:
- Channel: System
- EventID: 7045
- ServiceName:
- regexes: ./config/regex/regexes_suspicous_service.txt
- ImagePath:
- min_length: 1000
- allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
- condition: selection
-falsepositives:
- - unknown
-output: 'Service: %ServiceName% : Image path: %ImagePath'
-creation_date: 2020/11/8
-uodated_date: 2021/11/8
diff --git a/rules/alert-rules/sigma/av_exploiting.yml b/rules/alert-rules/sigma/av_exploiting.yml
deleted file mode 100644
index fe011d8d..00000000
--- a/rules/alert-rules/sigma/av_exploiting.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-title: Antivirus Exploitation Framework Detection
-author: Florian Roth
-date: 2018/09/09
-description: Detects a highly relevant Antivirus alert that reports an exploitation
- framework
-detection:
- SELECTION_1:
- Signature: '*MeteTool*'
- SELECTION_10:
- Signature: '*CobaltStr*'
- SELECTION_11:
- Signature: '*COBEACON*'
- SELECTION_12:
- Signature: '*Cometer*'
- SELECTION_13:
- Signature: '*Razy*'
- SELECTION_2:
- Signature: '*MPreter*'
- SELECTION_3:
- Signature: '*Meterpreter*'
- SELECTION_4:
- Signature: '*Metasploit*'
- SELECTION_5:
- Signature: '*PowerSploit*'
- SELECTION_6:
- Signature: '*CobaltSrike*'
- SELECTION_7:
- Signature: '*Swrort*'
- SELECTION_8:
- Signature: '*Rozena*'
- SELECTION_9:
- Signature: '*Backdoor.Cobalt*'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13)
-falsepositives:
-- Unlikely
-fields:
-- FileName
-- User
-id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
-level: critical
-logsource:
- product: antivirus
-modified: 2019/01/16
-references:
-- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
-tags:
-- attack.execution
-- attack.t1203
-- attack.command_and_control
-- attack.t1219
-yml_filename: av_exploiting.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/av_hacktool.yml b/rules/alert-rules/sigma/av_hacktool.yml
deleted file mode 100644
index 7eb298ae..00000000
--- a/rules/alert-rules/sigma/av_hacktool.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Antivirus Hacktool Detection
-author: Florian Roth
-date: 2021/08/16
-description: Detects a highly relevant Antivirus alert that reports a hack tool or
- other attack tool
-detection:
- SELECTION_1:
- Signature: HTOOL*
- SELECTION_2:
- Signature: HKTL*
- SELECTION_3:
- Signature: SecurityTool*
- SELECTION_4:
- Signature: ATK/*
- SELECTION_5:
- Signature: '*Hacktool*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) or (SELECTION_5))
-falsepositives:
-- Unlikely
-fields:
-- FileName
-- User
-id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
-level: high
-logsource:
- product: antivirus
-references:
-- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
-tags:
-- attack.execution
-yml_filename: av_hacktool.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/av_password_dumper.yml b/rules/alert-rules/sigma/av_password_dumper.yml
deleted file mode 100644
index 82080249..00000000
--- a/rules/alert-rules/sigma/av_password_dumper.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-title: Antivirus Password Dumper Detection
-author: Florian Roth
-date: 2018/09/09
-description: Detects a highly relevant Antivirus alert that reports a password dumper
-detection:
- SELECTION_1:
- Signature: '*DumpCreds*'
- SELECTION_10:
- Signature: '*Kekeo*'
- SELECTION_11:
- Signature: '*LsassDump*'
- SELECTION_12:
- Signature: '*Outflank*'
- SELECTION_2:
- Signature: '*Mimikatz*'
- SELECTION_3:
- Signature: '*PWCrack*'
- SELECTION_4:
- Signature: '*HTool/WCE*'
- SELECTION_5:
- Signature: '*PSWtool*'
- SELECTION_6:
- Signature: '*PWDump*'
- SELECTION_7:
- Signature: '*SecurityTool*'
- SELECTION_8:
- Signature: '*PShlSpy*'
- SELECTION_9:
- Signature: '*Rubeus*'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12)
-falsepositives:
-- Unlikely
-fields:
-- FileName
-- User
-id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
-level: critical
-logsource:
- product: antivirus
-modified: 2019/10/04
-references:
-- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
-- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1558
-- attack.t1003.001
-- attack.t1003.002
-yml_filename: av_password_dumper.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/av_printernightmare_cve_2021_34527.yml b/rules/alert-rules/sigma/av_printernightmare_cve_2021_34527.yml
deleted file mode 100644
index 27cc0364..00000000
--- a/rules/alert-rules/sigma/av_printernightmare_cve_2021_34527.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
-author: Sittikorn S, Nuttakorn T
-date: 2021/07/01
-description: Detects the suspicious file that is created from PoC code against Windows
- Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare),
- CVE-2021-1675 .
-detection:
- SELECTION_1:
- FileName: '*C:\Windows\System32\spool\drivers\x64\\*'
- condition: SELECTION_1
-falsepositives:
-- Unlikely
-fields:
-- Signature
-- FileName
-- ComputerName
-id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
-level: critical
-logsource:
- product: antivirus
-references:
-- https://twitter.com/mvelazco/status/1410291741241102338
-- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
-- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
-status: stable
-tags:
-- attack.privilege_escalation
-- attack.t1055
-yml_filename: av_printernightmare_cve_2021_34527.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/av_relevant_files.yml b/rules/alert-rules/sigma/av_relevant_files.yml
deleted file mode 100644
index 7cd864e2..00000000
--- a/rules/alert-rules/sigma/av_relevant_files.yml
+++ /dev/null
@@ -1,137 +0,0 @@
-title: Antivirus Relevant File Paths Alerts
-author: Florian Roth, Arnim Rupp
-date: 2018/09/09
-description: Detects an Antivirus alert in a highly relevant file path or with a relevant
- file name
-detection:
- SELECTION_1:
- FileName: C:\Windows\\*
- SELECTION_10:
- FileName: '*apache*'
- SELECTION_11:
- FileName: '*tomcat*'
- SELECTION_12:
- FileName: '*nginx*'
- SELECTION_13:
- FileName: '*weblogic*'
- SELECTION_14:
- Filename: '*.ps1'
- SELECTION_15:
- Filename: '*.psm1'
- SELECTION_16:
- Filename: '*.vbs'
- SELECTION_17:
- Filename: '*.bat'
- SELECTION_18:
- Filename: '*.cmd'
- SELECTION_19:
- Filename: '*.sh'
- SELECTION_2:
- FileName: C:\Temp\\*
- SELECTION_20:
- Filename: '*.chm'
- SELECTION_21:
- Filename: '*.xml'
- SELECTION_22:
- Filename: '*.txt'
- SELECTION_23:
- Filename: '*.jsp'
- SELECTION_24:
- Filename: '*.jspx'
- SELECTION_25:
- Filename: '*.asp'
- SELECTION_26:
- Filename: '*.aspx'
- SELECTION_27:
- Filename: '*.ashx'
- SELECTION_28:
- Filename: '*.asax'
- SELECTION_29:
- Filename: '*.asmx'
- SELECTION_3:
- FileName: C:\PerfLogs\\*
- SELECTION_30:
- Filename: '*.php'
- SELECTION_31:
- Filename: '*.cfm'
- SELECTION_32:
- Filename: '*.py'
- SELECTION_33:
- Filename: '*.pyc'
- SELECTION_34:
- Filename: '*.pl'
- SELECTION_35:
- Filename: '*.rb'
- SELECTION_36:
- Filename: '*.cgi'
- SELECTION_37:
- Filename: '*.war'
- SELECTION_38:
- Filename: '*.ear'
- SELECTION_39:
- Filename: '*.hta'
- SELECTION_4:
- FileName: C:\Users\Public\\*
- SELECTION_40:
- Filename: '*.lnk'
- SELECTION_41:
- Filename: '*.scf'
- SELECTION_42:
- Filename: '*.sct'
- SELECTION_43:
- Filename: '*.vbe'
- SELECTION_44:
- Filename: '*.wsf'
- SELECTION_45:
- Filename: '*.wsh'
- SELECTION_46:
- Filename: '*.gif'
- SELECTION_47:
- Filename: '*.png'
- SELECTION_48:
- Filename: '*.jpg'
- SELECTION_49:
- Filename: '*.jpeg'
- SELECTION_5:
- FileName: C:\Users\Default\\*
- SELECTION_50:
- Filename: '*.svg'
- SELECTION_51:
- Filename: '*.dat'
- SELECTION_6:
- FileName: '*\Client\\*'
- SELECTION_7:
- FileName: '*\tsclient\\*'
- SELECTION_8:
- FileName: '*\inetpub\\*'
- SELECTION_9:
- FileName: '*/www/*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- or (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13) or (SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
- or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
- or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
- or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
- or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
- or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
- or SELECTION_51))
-falsepositives:
-- Unlikely
-fields:
-- Signature
-- User
-id: c9a88268-0047-4824-ba6e-4d81ce0b907c
-level: high
-logsource:
- product: antivirus
-modified: 2021/05/09
-references:
-- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
-tags:
-- attack.resource_development
-- attack.t1588
-yml_filename: av_relevant_files.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/av_webshell.yml b/rules/alert-rules/sigma/av_webshell.yml
deleted file mode 100644
index 1db28cc7..00000000
--- a/rules/alert-rules/sigma/av_webshell.yml
+++ /dev/null
@@ -1,126 +0,0 @@
-title: Antivirus Web Shell Detection
-author: Florian Roth, Arnim Rupp
-date: 2018/09/09
-description: Detects a highly relevant Antivirus alert that reports a web shell. It's
- highly recommended to tune this rule to the specific strings used by your anti
- virus solution by downloading a big webshell repo from e.g. github and checking
- the matches.
-detection:
- SELECTION_1:
- Signature: PHP/*
- SELECTION_10:
- Signature: IIS/BackDoor*
- SELECTION_11:
- Signature: JAVA/Backdoor*
- SELECTION_12:
- Signature: Troj/ASP*
- SELECTION_13:
- Signature: Troj/PHP*
- SELECTION_14:
- Signature: Troj/JSP*
- SELECTION_15:
- Signature: '*Webshell*'
- SELECTION_16:
- Signature: '*Chopper*'
- SELECTION_17:
- Signature: '*SinoChoper*'
- SELECTION_18:
- Signature: '*ASPXSpy*'
- SELECTION_19:
- Signature: '*Aspdoor*'
- SELECTION_2:
- Signature: JSP/*
- SELECTION_20:
- Signature: '*filebrowser*'
- SELECTION_21:
- Signature: '*PHP_*'
- SELECTION_22:
- Signature: '*JSP_*'
- SELECTION_23:
- Signature: '*ASP_*'
- SELECTION_24:
- Signature: '*PHP:*'
- SELECTION_25:
- Signature: '*JSP:*'
- SELECTION_26:
- Signature: '*ASP:*'
- SELECTION_27:
- Signature: '*Perl:*'
- SELECTION_28:
- Signature: '*PHPShell*'
- SELECTION_29:
- Signature: '*Trojan.PHP*'
- SELECTION_3:
- Signature: ASP/*
- SELECTION_30:
- Signature: '*Trojan.ASP*'
- SELECTION_31:
- Signature: '*Trojan.JSP*'
- SELECTION_32:
- Signature: '*Trojan.VBS*'
- SELECTION_33:
- Signature: '*PHP?Agent*'
- SELECTION_34:
- Signature: '*ASP?Agent*'
- SELECTION_35:
- Signature: '*JSP?Agent*'
- SELECTION_36:
- Signature: '*VBS?Agent*'
- SELECTION_37:
- Signature: '*Backdoor?PHP*'
- SELECTION_38:
- Signature: '*Backdoor?JSP*'
- SELECTION_39:
- Signature: '*Backdoor?ASP*'
- SELECTION_4:
- Signature: Perl/*
- SELECTION_40:
- Signature: '*Backdoor?VBS*'
- SELECTION_41:
- Signature: '*Backdoor?Java*'
- SELECTION_5:
- Signature: PHP.*
- SELECTION_6:
- Signature: JSP.*
- SELECTION_7:
- Signature: ASP.*
- SELECTION_8:
- Signature: Perl.*
- SELECTION_9:
- Signature: VBS/Uxor*
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14) or (SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
- or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
- or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
- or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
- or SELECTION_41))
-falsepositives:
-- Unlikely
-fields:
-- FileName
-- User
-id: fdf135a2-9241-4f96-a114-bb404948f736
-level: critical
-logsource:
- product: antivirus
-modified: 2021/05/08
-references:
-- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
-- https://github.com/tennc/webshell
-- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
-- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
-- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
-- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
-- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
-- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
-- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
-tags:
-- attack.persistence
-- attack.t1100
-- attack.t1505.003
-yml_filename: av_webshell.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/dns_net_susp_ipify.yml b/rules/alert-rules/sigma/dns_net_susp_ipify.yml
deleted file mode 100644
index a16dda5e..00000000
--- a/rules/alert-rules/sigma/dns_net_susp_ipify.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-title: Suspicious DNS Query for IP Lookup Service APIs
-author: Brandon George (blog post), Thomas Patzke (rule)
-date: 2021/07/08
-description: Detects DNS queries for ip lookup services such as api.ipify.org not
- originating from a browser process.
-detection:
- SELECTION_1:
- EventID: 22
- SELECTION_10:
- QueryName: api.ipify.org
- SELECTION_11:
- QueryName: ip-api.com
- SELECTION_12:
- QueryName: checkip.amazonaws.com
- SELECTION_13:
- QueryName: ipecho.net
- SELECTION_14:
- QueryName: ipinfo.io
- SELECTION_15:
- QueryName: ipv4bot.whatismyipaddress.com
- SELECTION_16:
- QueryName: freegeoip.app
- SELECTION_17:
- Image: '*\chrome.exe'
- SELECTION_18:
- Image: '*\iexplore.exe'
- SELECTION_19:
- Image: '*\firefox.exe'
- SELECTION_2:
- QueryName: canireachthe.net
- SELECTION_20:
- Image: '*\brave.exe'
- SELECTION_21:
- Image: '*\opera.exe'
- SELECTION_22:
- Image: '*\msedge.exe'
- SELECTION_23:
- Image: '*\vivaldi.exe'
- SELECTION_3:
- QueryName: ipv4.icanhazip.com
- SELECTION_4:
- QueryName: ip.anysrc.net
- SELECTION_5:
- QueryName: edns.ip-api.com
- SELECTION_6:
- QueryName: wtfismyip.com
- SELECTION_7:
- QueryName: checkip.dyndns.org
- SELECTION_8:
- QueryName: api.2ip.ua
- SELECTION_9:
- QueryName: icanhazip.com
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16) and not ((SELECTION_17 or SELECTION_18 or SELECTION_19 or
- SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23)))
-falsepositives:
-- Legitimate usage of ip lookup services such as ipify API
-id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
-level: medium
-logsource:
- category: dns_query
- product: windows
-modified: 2021/09/10
-references:
-- https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
-- https://twitter.com/neonprimetime/status/1436376497980428318
-status: experimental
-tags:
-- attack.reconnaissance
-- attack.t1590
-yml_filename: dns_net_susp_ipify.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
-
diff --git a/rules/alert-rules/sigma/dns_query_hybridconnectionmgr_servicebus.yml b/rules/alert-rules/sigma/dns_query_hybridconnectionmgr_servicebus.yml
deleted file mode 100644
index 49d00926..00000000
--- a/rules/alert-rules/sigma/dns_query_hybridconnectionmgr_servicebus.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: DNS HybridConnectionManager Service Bus
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2021/04/12
-description: Detects Azure Hybrid Connection Manager services querying the Azure service
- bus service
-detection:
- SELECTION_1:
- EventID: 22
- SELECTION_2:
- QueryName: '*servicebus.windows.net*'
- SELECTION_3:
- Image: '*HybridConnectionManager*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
-id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
-level: high
-logsource:
- category: dns_query
- product: windows
-modified: 2021/06/10
-references:
-- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
-status: experimental
-tags:
-- attack.persistence
-yml_filename: dns_query_hybridconnectionmgr_servicebus.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
-
diff --git a/rules/alert-rules/sigma/dns_query_mega_nz.yml b/rules/alert-rules/sigma/dns_query_mega_nz.yml
deleted file mode 100644
index 2cea5e65..00000000
--- a/rules/alert-rules/sigma/dns_query_mega_nz.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: DNS Query for MEGA.io Upload Domain
-author: Aaron Greetham (@beardofbinary) - NCC Group
-date: 2021/05/26
-description: Detects DNS queries for subdomains used for upload to MEGA.io
-detection:
- SELECTION_1:
- EventID: 22
- SELECTION_2:
- QueryName: '*userstorage.mega.co.nz*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Legitimate Mega upload
-id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
-level: high
-logsource:
- category: dns_query
- product: windows
-references:
-- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
-status: experimental
-tags:
-- attack.exfiltration
-- attack.t1567.002
-yml_filename: dns_query_mega_nz.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
-
diff --git a/rules/alert-rules/sigma/dns_query_possible_dns_rebinding.yml b/rules/alert-rules/sigma/dns_query_possible_dns_rebinding.yml
deleted file mode 100644
index 73682cde..00000000
--- a/rules/alert-rules/sigma/dns_query_possible_dns_rebinding.yml
+++ /dev/null
@@ -1,118 +0,0 @@
-title: Possible DNS Rebinding
-author: Ilyas Ochkov, oscd.community
-date: 2019/10/25
-description: Detects several different DNS-answers by one domain with IPs from internal
- and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will
- saved in host cache for a while TTL).
-detection:
- SELECTION_1:
- EventID: 22
- SELECTION_10:
- QueryResults: (::ffff:)?172.20.*
- SELECTION_11:
- QueryResults: (::ffff:)?172.21.*
- SELECTION_12:
- QueryResults: (::ffff:)?172.22.*
- SELECTION_13:
- QueryResults: (::ffff:)?172.23.*
- SELECTION_14:
- QueryResults: (::ffff:)?172.24.*
- SELECTION_15:
- QueryResults: (::ffff:)?172.25.*
- SELECTION_16:
- QueryResults: (::ffff:)?172.26.*
- SELECTION_17:
- QueryResults: (::ffff:)?172.27.*
- SELECTION_18:
- QueryResults: (::ffff:)?172.28.*
- SELECTION_19:
- QueryResults: (::ffff:)?172.29.*
- SELECTION_2:
- QueryName: '*'
- SELECTION_20:
- QueryResults: (::ffff:)?172.30.*
- SELECTION_21:
- QueryResults: (::ffff:)?172.31.*
- SELECTION_22:
- QueryResults: (::ffff:)?127.*
- SELECTION_23:
- QueryName: '*'
- SELECTION_24:
- QueryStatus: '0'
- SELECTION_25:
- QueryResults: (::ffff:)?10.*
- SELECTION_26:
- QueryResults: (::ffff:)?192.168.*
- SELECTION_27:
- QueryResults: (::ffff:)?172.16.*
- SELECTION_28:
- QueryResults: (::ffff:)?172.17.*
- SELECTION_29:
- QueryResults: (::ffff:)?172.18.*
- SELECTION_3:
- QueryStatus: '0'
- SELECTION_30:
- QueryResults: (::ffff:)?172.19.*
- SELECTION_31:
- QueryResults: (::ffff:)?172.20.*
- SELECTION_32:
- QueryResults: (::ffff:)?172.21.*
- SELECTION_33:
- QueryResults: (::ffff:)?172.22.*
- SELECTION_34:
- QueryResults: (::ffff:)?172.23.*
- SELECTION_35:
- QueryResults: (::ffff:)?172.24.*
- SELECTION_36:
- QueryResults: (::ffff:)?172.25.*
- SELECTION_37:
- QueryResults: (::ffff:)?172.26.*
- SELECTION_38:
- QueryResults: (::ffff:)?172.27.*
- SELECTION_39:
- QueryResults: (::ffff:)?172.28.*
- SELECTION_4:
- QueryResults: (::ffff:)?10.*
- SELECTION_40:
- QueryResults: (::ffff:)?172.29.*
- SELECTION_41:
- QueryResults: (::ffff:)?172.30.*
- SELECTION_42:
- QueryResults: (::ffff:)?172.31.*
- SELECTION_43:
- QueryResults: (::ffff:)?127.*
- SELECTION_5:
- QueryResults: (::ffff:)?192.168.*
- SELECTION_6:
- QueryResults: (::ffff:)?172.16.*
- SELECTION_7:
- QueryResults: (::ffff:)?172.17.*
- SELECTION_8:
- QueryResults: (::ffff:)?172.18.*
- SELECTION_9:
- QueryResults: (::ffff:)?172.19.*
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22) and (SELECTION_23 and SELECTION_24) and not
- ((SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29
- or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34
- or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39
- or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43)))| count(QueryName)
- by ComputerName > 3
-id: eb07e747-2552-44cd-af36-b659ae0958e4
-level: medium
-logsource:
- category: dns_query
- product: windows
-modified: 2020/08/28
-references:
-- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
-status: experimental
-tags:
-- attack.initial_access
-- attack.t1189
-yml_filename: dns_query_possible_dns_rebinding.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
-
diff --git a/rules/alert-rules/sigma/dns_query_regsvr32_network_activity.yml b/rules/alert-rules/sigma/dns_query_regsvr32_network_activity.yml
deleted file mode 100644
index 30dd7d05..00000000
--- a/rules/alert-rules/sigma/dns_query_regsvr32_network_activity.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Regsvr32 Network Activity
-author: Dmitriy Lifanov, oscd.community
-date: 2019/10/25
-description: Detects network connections and DNS queries initiated by Regsvr32.exe
-detection:
- SELECTION_1:
- EventID: 22
- SELECTION_2:
- Image: '*\regsvr32.exe'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unknown
-fields:
-- ComputerName
-- User
-- Image
-- DestinationIp
-- DestinationPort
-id: 36e037c4-c228-4866-b6a3-48eb292b9955
-level: high
-logsource:
- category: dns_query
- product: windows
-modified: 2021/09/21
-references:
-- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
-- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
-related:
-- id: c7e91a02-d771-4a6d-a700-42587e0b1095
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1559.001
-- attack.t1175
-- attack.defense_evasion
-- attack.t1218.010
-- attack.t1117
-yml_filename: dns_query_regsvr32_network_activity.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
-
diff --git a/rules/alert-rules/sigma/driver_load_mal_creddumper.yml b/rules/alert-rules/sigma/driver_load_mal_creddumper.yml
deleted file mode 100644
index df44c3f1..00000000
--- a/rules/alert-rules/sigma/driver_load_mal_creddumper.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-title: Credential Dumping Tools Service Execution
-author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
-date: 2017/03/05
-description: Detects well-known credential dumping tools execution via service execution
- events
-detection:
- SELECTION_1:
- EventID: 6
- SELECTION_2:
- ImageLoaded: '*fgexec*'
- SELECTION_3:
- ImageLoaded: '*dumpsvc*'
- SELECTION_4:
- ImageLoaded: '*cachedump*'
- SELECTION_5:
- ImageLoaded: '*mimidrv*'
- SELECTION_6:
- ImageLoaded: '*gsecdump*'
- SELECTION_7:
- ImageLoaded: '*servpw*'
- SELECTION_8:
- ImageLoaded: '*pwdump*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8))
-falsepositives:
-- Legitimate Administrator using credential dumping tool for password recovery
-id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
-level: critical
-logsource:
- category: driver_load
- product: windows
-modified: 2021/11/10
-references:
-- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-related:
-- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
- type: derived
-tags:
-- attack.credential_access
-- attack.execution
-- attack.t1003
-- attack.t1003.001
-- attack.t1003.002
-- attack.t1003.004
-- attack.t1003.005
-- attack.t1003.006
-- attack.t1035
-- attack.t1569.002
-- attack.s0005
-yml_filename: driver_load_mal_creddumper.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
-
diff --git a/rules/alert-rules/sigma/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/alert-rules/sigma/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
deleted file mode 100644
index 4ee45f46..00000000
--- a/rules/alert-rules/sigma/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-title: Meterpreter or Cobalt Strike Getsystem Service Installation
-author: Teymur Kheirkhabarov, Ecco, Florian Roth
-date: 2019/10/26
-description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
- a specific service installation
-detection:
- SELECTION_1:
- EventID: 6
- SELECTION_10:
- ImagePath: '*cmd.exe*'
- SELECTION_11:
- ImagePath: '*/c*'
- SELECTION_12:
- ImagePath: '*echo*'
- SELECTION_13:
- ImagePath: '*\pipe\\*'
- SELECTION_14:
- ImagePath: '*rundll32*'
- SELECTION_15:
- ImagePath: '*.dll,a*'
- SELECTION_16:
- ImagePath: '*/p:*'
- SELECTION_2:
- ImagePath: '*cmd*'
- SELECTION_3:
- ImagePath: '*/c*'
- SELECTION_4:
- ImagePath: '*echo*'
- SELECTION_5:
- ImagePath: '*\pipe\\*'
- SELECTION_6:
- ImagePath: '*%COMSPEC%*'
- SELECTION_7:
- ImagePath: '*/c*'
- SELECTION_8:
- ImagePath: '*echo*'
- SELECTION_9:
- ImagePath: '*\pipe\\*'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and
- SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)
- or (SELECTION_10 and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14
- and SELECTION_15 and SELECTION_16)))
-falsepositives:
-- Highly unlikely
-fields:
-- ComputerName
-- SubjectDomainName
-- SubjectUserName
-- ImagePath
-id: d585ab5a-6a69-49a8-96e8-4a726a54de46
-level: critical
-logsource:
- category: driver_load
- product: windows
-modified: 2021/09/21
-references:
-- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
-- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
-related:
-- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
- type: derived
-tags:
-- attack.privilege_escalation
-- attack.t1134
-- attack.t1134.001
-- attack.t1134.002
-yml_filename: driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
-
diff --git a/rules/alert-rules/sigma/driver_load_powershell_script_installed_as_service.yml b/rules/alert-rules/sigma/driver_load_powershell_script_installed_as_service.yml
deleted file mode 100644
index 6d64cf56..00000000
--- a/rules/alert-rules/sigma/driver_load_powershell_script_installed_as_service.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: PowerShell Scripts Run by a Services
-author: oscd.community, Natalia Shornikova
-date: 2020/10/06
-description: Detects powershell script installed as a Service
-detection:
- SELECTION_1:
- EventID: 6
- SELECTION_2:
- ImageLoaded: '*powershell*'
- SELECTION_3:
- ImageLoaded: '*pwsh*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Unknown
-id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
-level: high
-logsource:
- category: driver_load
- product: windows
-modified: 2021/09/21
-references:
-- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
-related:
-- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1569.002
-yml_filename: driver_load_powershell_script_installed_as_service.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
-
diff --git a/rules/alert-rules/sigma/driver_load_susp_temp_use.yml b/rules/alert-rules/sigma/driver_load_susp_temp_use.yml
deleted file mode 100644
index 2b50f583..00000000
--- a/rules/alert-rules/sigma/driver_load_susp_temp_use.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: Suspicious Driver Load from Temp
-author: Florian Roth
-date: 2017/02/12
-description: Detects a driver load from a temporary directory
-detection:
- SELECTION_1:
- EventID: 6
- SELECTION_2:
- ImageLoaded: '*\Temp\\*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- there is a relevant set of false positives depending on applications in the environment
-id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
-level: high
-logsource:
- category: driver_load
- product: windows
-modified: 2020/08/23
-tags:
-- attack.persistence
-- attack.privilege_escalation
-- attack.t1050
-- attack.t1543.003
-yml_filename: driver_load_susp_temp_use.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
-
diff --git a/rules/alert-rules/sigma/driver_load_vuln_dell_driver.yml b/rules/alert-rules/sigma/driver_load_vuln_dell_driver.yml
deleted file mode 100644
index c38b2e84..00000000
--- a/rules/alert-rules/sigma/driver_load_vuln_dell_driver.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Vulnerable Dell BIOS Update Driver Load
-author: Florian Roth
-date: 2021/05/05
-description: Detects the load of the vulnerable Dell BIOS update driver as reported
- in CVE-2021-21551
-detection:
- SELECTION_1:
- EventID: 6
- SELECTION_2:
- ImageLoaded: '*\DBUtil_2_3.Sys*'
- SELECTION_3:
- Hashes: '*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5*'
- SELECTION_4:
- Hashes: '*c948ae14761095e4d76b55d9de86412258be7afd*'
- SELECTION_5:
- Hashes: '*c996d7971c49252c582171d9380360f2*'
- SELECTION_6:
- Hashes: '*ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1*'
- SELECTION_7:
- Hashes: '*10b30bdee43b3a2ec4aa63375577ade650269d25*'
- SELECTION_8:
- Hashes: '*d2fd132ab7bbc6bbb87a84f026fa0244*'
- condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8)))
-falsepositives:
-- legitimate BIOS driver updates (should be rare)
-id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
-level: high
-logsource:
- category: driver_load
- product: windows
-references:
-- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
-tags:
-- attack.privilege_escalation
-- cve.2021.21551
-yml_filename: driver_load_vuln_dell_driver.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
-
diff --git a/rules/alert-rules/sigma/driver_load_windivert.yml b/rules/alert-rules/sigma/driver_load_windivert.yml
deleted file mode 100644
index 9ca72327..00000000
--- a/rules/alert-rules/sigma/driver_load_windivert.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: WinDivert Driver Load
-author: Florian Roth
-date: 2021/07/30
-description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection
- package for Windows
-detection:
- SELECTION_1:
- EventID: 6
- SELECTION_2:
- ImageLoaded: '*\WinDivert.sys*'
- SELECTION_3:
- ImageLoaded: '*\WinDivert64.sys*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- legitimate WinDivert driver usage
-id: 679085d5-f427-4484-9f58-1dc30a7c426d
-level: high
-logsource:
- category: driver_load
- product: windows
-references:
-- https://reqrypt.org/windivert-doc.html
-- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
-status: experimental
-tags:
-- attack.collection
-- attack.defense_evasion
-- attack.t1599.001
-- attack.t1557.001
-yml_filename: driver_load_windivert.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
-
diff --git a/rules/alert-rules/sigma/edr_command_execution_by_office_applications.yml b/rules/alert-rules/sigma/edr_command_execution_by_office_applications.yml
deleted file mode 100644
index f52ddc50..00000000
--- a/rules/alert-rules/sigma/edr_command_execution_by_office_applications.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: EDR WMI Command Execution by Office Applications
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-description: Initial execution of malicious document calls wmic Win32_Process::Create
- to execute the file with regsvr32
-detection:
- SELECTION_1:
- EventLog: EDR
- SELECTION_2:
- EventType: WMIExecution
- SELECTION_3:
- WMIcommand: '*Win32_Process\:\:Create*'
- SELECTION_4:
- Image: '*\winword.exe'
- SELECTION_5:
- Image: '*\excel.exe'
- SELECTION_6:
- Image: '*\powerpnt.exe'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
- or SELECTION_6))
-falsepositives:
-- Unknown
-id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815
-level: high
-logsource:
- category: edr
- product: windows
-modified: 2021/11/09
-references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-status: experimental
-tags:
-- attack.t1204.002
-- attack.t1047
-- attack.t1218.010
-- attack.execution
-- attack.defense_evasion
-yml_filename: edr_command_execution_by_office_applications.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/edr
-
diff --git a/rules/alert-rules/sigma/file_event_advanced_ip_scanner.yml b/rules/alert-rules/sigma/file_event_advanced_ip_scanner.yml
deleted file mode 100644
index f0ebc47a..00000000
--- a/rules/alert-rules/sigma/file_event_advanced_ip_scanner.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Advanced IP Scanner
-author: '@ROxPinTeddy'
-date: 2020/05/12
-description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for
- ransomware groups.
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\AppData\Local\Temp\Advanced IP Scanner 2*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Legitimate administrative use
-id: fed85bf9-e075-4280-9159-fbe8a023d6fa
-level: medium
-logsource:
- category: file_event
- product: windows
-modified: 2021/09/11
-references:
-- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
-- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
-- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
-- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
-- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
-related:
-- id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
- type: derived
-status: experimental
-tags:
-- attack.discovery
-- attack.t1046
-yml_filename: file_event_advanced_ip_scanner.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_apt_unidentified_nov_18.yml b/rules/alert-rules/sigma/file_event_apt_unidentified_nov_18.yml
deleted file mode 100644
index 9f31ff34..00000000
--- a/rules/alert-rules/sigma/file_event_apt_unidentified_nov_18.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Unidentified Attacker November 2018
-author: '@41thexplorer, Microsoft Defender ATP'
-date: 2018/11/20
-description: A sigma rule detecting an unidetefied attacker who used phishing emails
- to target high profile orgs on November 2018. The Actor shares some TTPs with
- YYTRIUM/APT29 campaign in 2016.
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*ds7002.lnk*'
- condition: (SELECTION_1 and SELECTION_2)
-id: 3a3f81ca-652c-482b-adeb-b1c804727f74
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2021/09/19
-references:
-- https://twitter.com/DrunkBinary/status/1063075530180886529
-related:
-- id: 7453575c-a747-40b9-839b-125a0aae324b
- type: derived
-status: stable
-tags:
-- attack.execution
-- attack.t1218.011
-- attack.t1085
-yml_filename: file_event_apt_unidentified_nov_18.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/alert-rules/sigma/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
deleted file mode 100644
index 3b7a71cc..00000000
--- a/rules/alert-rules/sigma/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
-author: Sittikorn S
-date: 2021/07/16
-description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979
- CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_10:
- TargetFilename: '*C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
- SELECTION_11:
- TargetFilename: '*C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
- SELECTION_2:
- TargetFilename: '*C:\Windows\system32\physmem.sys*'
- SELECTION_3:
- TargetFilename: '*C:\Windows\System32\IME\IMEJP\imjpueact.dll*'
- SELECTION_4:
- TargetFilename: '*C:\Windows\system32\ime\IMETC\IMTCPROT.DLL*'
- SELECTION_5:
- TargetFilename: '*C:\Windows\system32\ime\SHARED\imecpmeid.dll*'
- SELECTION_6:
- TargetFilename: '*C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat*'
- SELECTION_7:
- TargetFilename: '*C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat*'
- SELECTION_8:
- TargetFilename: '*C:\Windows\system32\config\config\startwus.dat*'
- SELECTION_9:
- TargetFilename: '*C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11))
-falsepositives:
-- Unlikely
-id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
-level: critical
-logsource:
- category: file_event
- product: windows
-modified: 2021/09/09
-references:
-- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
-- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1566
-- attack.t1203
-- cve.2021.33771
-- cve.2021.31979
-yml_filename: file_event_cve_2021_31979_cve_2021_33771_exploits.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_hack_dumpert.yml b/rules/alert-rules/sigma/file_event_hack_dumpert.yml
deleted file mode 100644
index 29e9b434..00000000
--- a/rules/alert-rules/sigma/file_event_hack_dumpert.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Dumpert Process Dumper
-author: Florian Roth
-date: 2020/02/04
-description: Detects the use of Dumpert process dumper, which dumps the lsass.exe
- process memory
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: C:\Windows\Temp\dumpert.dmp
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Very unlikely
-id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
-level: critical
-logsource:
- category: file_event
- product: windows
-modified: 2021/09/21
-references:
-- https://github.com/outflanknl/Dumpert
-- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
-related:
-- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
- type: derived
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.001
-yml_filename: file_event_hack_dumpert.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_hktl_createminidump.yml b/rules/alert-rules/sigma/file_event_hktl_createminidump.yml
deleted file mode 100644
index d9115e7e..00000000
--- a/rules/alert-rules/sigma/file_event_hktl_createminidump.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: CreateMiniDump Hacktool
-author: Florian Roth
-date: 2019/12/22
-description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process
- memory for credential extraction on the attacker's machine
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\lsass.dmp'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Unknown
-id: db2110f3-479d-42a6-94fb-d35bc1e46492
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2021/09/19
-references:
-- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
-related:
-- id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
- type: derived
-tags:
-- attack.credential_access
-- attack.t1003.001
-- attack.t1003
-yml_filename: file_event_hktl_createminidump.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_mal_adwind.yml b/rules/alert-rules/sigma/file_event_mal_adwind.yml
deleted file mode 100644
index e98cdfa3..00000000
--- a/rules/alert-rules/sigma/file_event_mal_adwind.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Adwind RAT / JRAT
-author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
-date: 2017/11/10
-description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\AppData\Roaming\Oracle\bin\java*'
- SELECTION_3:
- TargetFilename: '*.exe*'
- SELECTION_4:
- TargetFilename: '*\Retrive*'
- SELECTION_5:
- TargetFilename: '*.vbs*'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
- SELECTION_5)))
-id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2021/09/19
-references:
-- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
-- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
-related:
-- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.005
-- attack.t1059.007
-- attack.t1064
-yml_filename: file_event_mal_adwind.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_mal_octopus_scanner.yml b/rules/alert-rules/sigma/file_event_mal_octopus_scanner.yml
deleted file mode 100644
index 05d53bb7..00000000
--- a/rules/alert-rules/sigma/file_event_mal_octopus_scanner.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Octopus Scanner Malware
-author: NVISO
-date: 2020/06/09
-description: Detects Octopus Scanner Malware.
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\AppData\Local\Microsoft\Cache134.dat'
- SELECTION_3:
- TargetFilename: '*\AppData\Local\Microsoft\ExplorerSync.db'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Unknown
-id: 805c55d9-31e6-4846-9878-c34c75054fe9
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
-status: experimental
-tags:
-- attack.t1195
-- attack.t1195.001
-yml_filename: file_event_mal_octopus_scanner.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/file_event_mal_vhd_download.yml b/rules/alert-rules/sigma/file_event_mal_vhd_download.yml
deleted file mode 100644
index fde162f1..00000000
--- a/rules/alert-rules/sigma/file_event_mal_vhd_download.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-title: Suspicious VHD Image Download From Browser
-author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
-date: 2021/10/25
-description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate
- payloads and evade security controls
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_10:
- TargetFilename: '*.vhd*'
- SELECTION_2:
- Image: '*chrome.exe'
- SELECTION_3:
- Image: '*firefox.exe'
- SELECTION_4:
- Image: '*microsoftedge.exe'
- SELECTION_5:
- Image: '*microsoftedgecp.exe'
- SELECTION_6:
- Image: '*msedge.exe'
- SELECTION_7:
- Image: '*iexplorer.exe'
- SELECTION_8:
- Image: '*brave.exe'
- SELECTION_9:
- Image: '*opera.exe'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and SELECTION_10)
-falsepositives:
-- Legitimate user creation
-id: 8468111a-ef07-4654-903b-b863a80bbc95
-level: medium
-logsource:
- category: file_event
- definition: in sysmon add ".vhd
- "
- product: windows
-modified: 2021/10/29
-references:
-- https://redcanary.com/blog/intelligence-insights-october-2021/
-- https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
-- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
-status: test
-tags:
-- attack.resource_development
-- attack.t1587.001
-yml_filename: file_event_mal_vhd_download.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_moriya_rootkit.yml b/rules/alert-rules/sigma/file_event_moriya_rootkit.yml
deleted file mode 100644
index 6b9e6811..00000000
--- a/rules/alert-rules/sigma/file_event_moriya_rootkit.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Moriya Rootkit
-author: Bhabesh Raj
-date: 2021/05/06
-description: Detects the use of Moriya rootkit as described in the securelist's Operation
- TunnelSnake report
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- None
-id: a1507d71-0b60-44f6-b17c-bf53220fdd88
-level: critical
-logsource:
- category: file_event
- product: windows
-modified: 2021/09/21
-references:
-- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
-related:
-- id: 25b9c01c-350d-4b95-bed1-836d04a4f324
- type: derived
-status: experimental
-tags:
-- attack.persistence
-- attack.privilege_escalation
-- attack.t1543.003
-yml_filename: file_event_moriya_rootkit.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_pingback_backdoor.yml b/rules/alert-rules/sigma/file_event_pingback_backdoor.yml
deleted file mode 100644
index ce83802c..00000000
--- a/rules/alert-rules/sigma/file_event_pingback_backdoor.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Pingback Backdoor
-author: Bhabesh Raj
-date: 2021/05/05
-description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
- as described in the trustwave report
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- Image: '*updata.exe'
- SELECTION_3:
- TargetFilename: C:\Windows\oci.dll
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Very unlikely
-id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2021/09/09
-references:
-- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
-- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
-status: experimental
-tags:
-- attack.persistence
-- attack.t1574.001
-yml_filename: file_event_pingback_backdoor.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_script_creation_by_office_using_file_ext.yml b/rules/alert-rules/sigma/file_event_script_creation_by_office_using_file_ext.yml
deleted file mode 100644
index acb6f55e..00000000
--- a/rules/alert-rules/sigma/file_event_script_creation_by_office_using_file_ext.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-title: Created Files by Office Applications
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-description: This rule will monitor executable and script file creation by office
- applications. Please add more file extensions or magic bytes to the logic of your
- choice.
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_10:
- TargetFilename: '*.vbs'
- SELECTION_11:
- TargetFilename: '*.sys'
- SELECTION_12:
- TargetFilename: '*.bat'
- SELECTION_13:
- TargetFilename: '*.scr'
- SELECTION_14:
- TargetFilename: '*.proj'
- SELECTION_2:
- Image: '*winword.exe'
- SELECTION_3:
- Image: '*excel.exe'
- SELECTION_4:
- Image: '*powerpnt.exe'
- SELECTION_5:
- TargetFilename: '*.exe'
- SELECTION_6:
- TargetFilename: '*.dll'
- SELECTION_7:
- TargetFilename: '*.ocx'
- SELECTION_8:
- TargetFilename: '*.com'
- SELECTION_9:
- TargetFilename: '*.ps1'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and (SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14))
-falsepositives:
-- Unknown
-id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2021/11/10
-references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-status: experimental
-tags:
-- attack.t1204.002
-- attack.t1047
-- attack.t1218.010
-- attack.execution
-- attack.defense_evasion
-yml_filename: file_event_script_creation_by_office_using_file_ext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_tool_psexec.yml b/rules/alert-rules/sigma/file_event_tool_psexec.yml
deleted file mode 100644
index 5cc5ca99..00000000
--- a/rules/alert-rules/sigma/file_event_tool_psexec.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: PsExec Tool Execution
-author: Thomas Patzke
-date: 2017/06/12
-description: Detects PsExec service installation and execution events (service and
- Sysmon)
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\PSEXESVC.exe'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unknown
-fields:
-- EventID
-- CommandLine
-- ParentCommandLine
-- ServiceName
-- ServiceFileName
-- TargetFilename
-- PipeName
-id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
-level: low
-logsource:
- category: file_event
- product: windows
-modified: 2021/09/21
-references:
-- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
-- https://jpcertcc.github.io/ToolAnalysisResultSheet
-related:
-- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1035
-- attack.t1569.002
-- attack.s0029
-yml_filename: file_event_tool_psexec.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_uac_bypass_winsat.yml b/rules/alert-rules/sigma/file_event_uac_bypass_winsat.yml
deleted file mode 100644
index 19eb45a5..00000000
--- a/rules/alert-rules/sigma/file_event_uac_bypass_winsat.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: UAC Bypass Abusing Winsat Path Parsing - File
-author: Christian Burkard
-date: 2021/08/30
-description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe
- (UACMe 52)
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: C:\Users\\*
- SELECTION_3:
- TargetFilename: '*\AppData\Local\Temp\system32\winsat.exe'
- SELECTION_4:
- TargetFilename: '*\AppData\Local\Temp\system32\winmm.dll'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- Unknown
-id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: file_event_uac_bypass_winsat.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_uac_bypass_wmp.yml b/rules/alert-rules/sigma/file_event_uac_bypass_wmp.yml
deleted file mode 100644
index e83d5e57..00000000
--- a/rules/alert-rules/sigma/file_event_uac_bypass_wmp.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: UAC Bypass Using Windows Media Player - File
-author: Christian Burkard
-date: 2021/08/23
-description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll
- (UACMe 32)
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: C:\Users\\*
- SELECTION_3:
- TargetFilename: '*\AppData\Local\Temp\OskSupport.dll'
- SELECTION_4:
- Image: C:\Windows\system32\DllHost.exe
- SELECTION_5:
- TargetFilename: C:\Program Files\Windows Media Player\osk.exe
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
- SELECTION_5)))
-falsepositives:
-- Unknown
-id: 68578b43-65df-4f81-9a9b-92f32711a951
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: file_event_uac_bypass_wmp.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_winrm_awl_bypass.yml b/rules/alert-rules/sigma/file_event_winrm_awl_bypass.yml
deleted file mode 100644
index 85070523..00000000
--- a/rules/alert-rules/sigma/file_event_winrm_awl_bypass.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
-author: Julia Fomina, oscd.community
-date: 2020/10/06
-description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via
- winrm.vbs and copied cscript.exe (can be renamed)
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*WsmPty.xsl'
- SELECTION_3:
- TargetFilename: '*WsmTxt.xsl'
- SELECTION_4:
- TargetFilename: C:\Windows\System32\\*
- SELECTION_5:
- TargetFilename: C:\Windows\SysWOW64\\*
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and not ((SELECTION_4
- or SELECTION_5)))
-falsepositives:
-- Unlikely
-id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
-level: medium
-logsource:
- category: file_event
- product: windows
-modified: 2021/09/19
-references:
-- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
-related:
-- id: 074e0ded-6ced-4ebd-8b4d-53f55908119
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1216
-yml_filename: file_event_winrm_awl_bypass.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/file_event_wmiprvse_wbemcomn_dll_hijack.yml b/rules/alert-rules/sigma/file_event_wmiprvse_wbemcomn_dll_hijack.yml
deleted file mode 100644
index 25ac4158..00000000
--- a/rules/alert-rules/sigma/file_event_wmiprvse_wbemcomn_dll_hijack.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Wmiprvse Wbemcomn DLL Hijack
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/10/12
-description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
- directory over the network and loading it for a WMI DLL Hijack scenario.
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- Image: System
- SELECTION_3:
- TargetFilename: '*\wbem\wbemcomn.dll'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
-level: critical
-logsource:
- category: file_event
- product: windows
-modified: 2021/09/09
-references:
-- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
-status: experimental
-tags:
-- attack.execution
-- attack.t1047
-- attack.lateral_movement
-- attack.t1021.002
-yml_filename: file_event_wmiprvse_wbemcomn_dll_hijack.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/image_load_pingback_backdoor.yml b/rules/alert-rules/sigma/image_load_pingback_backdoor.yml
deleted file mode 100644
index 943f51d5..00000000
--- a/rules/alert-rules/sigma/image_load_pingback_backdoor.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Pingback Backdoor
-author: Bhabesh Raj
-date: 2021/05/05
-description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
- as described in the trustwave report
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*msdtc.exe'
- SELECTION_3:
- ImageLoaded: C:\Windows\oci.dll
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Very unlikely
-id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2021/09/09
-references:
-- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
-- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
-status: experimental
-tags:
-- attack.persistence
-- attack.t1574.001
-yml_filename: image_load_pingback_backdoor.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/image_load_silenttrinity_stage_use.yml b/rules/alert-rules/sigma/image_load_silenttrinity_stage_use.yml
deleted file mode 100644
index 8d2011f2..00000000
--- a/rules/alert-rules/sigma/image_load_silenttrinity_stage_use.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: SILENTTRINITY Stager Execution
-author: Aleksey Potapov, oscd.community
-date: 2019/10/22
-description: Detects SILENTTRINITY stager use
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Description: '*st2stager*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unknown
-id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2021/10/04
-references:
-- https://github.com/byt3bl33d3r/SILENTTRINITY
-related:
-- id: 03552375-cc2c-4883-bbe4-7958d5a980be
- type: derived
-status: experimental
-tags:
-- attack.command_and_control
-yml_filename: image_load_silenttrinity_stage_use.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/alert-rules/sigma/image_load_wmiprvse_wbemcomn_dll_hijack.yml
deleted file mode 100644
index bb21cf8f..00000000
--- a/rules/alert-rules/sigma/image_load_wmiprvse_wbemcomn_dll_hijack.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Wmiprvse Wbemcomn DLL Hijack
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/10/12
-description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
- directory over the network and loading it for a WMI DLL Hijack scenario.
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\wmiprvse.exe'
- SELECTION_3:
- ImageLoaded: '*\wbem\wbemcomn.dll'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 7707a579-e0d8-4886-a853-ce47e4575aaa
-level: critical
-logsource:
- category: image_load
- product: windows
-modified: 2021/09/09
-references:
-- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
-status: experimental
-tags:
-- attack.execution
-- attack.t1047
-- attack.lateral_movement
-- attack.t1021.002
-yml_filename: image_load_wmiprvse_wbemcomn_dll_hijack.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/pipe_created_tool_psexec.yml b/rules/alert-rules/sigma/pipe_created_tool_psexec.yml
deleted file mode 100644
index 6f5acabd..00000000
--- a/rules/alert-rules/sigma/pipe_created_tool_psexec.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-title: PsExec Tool Execution
-author: Thomas Patzke
-date: 2017/06/12
-description: Detects PsExec service installation and execution events (service and
- Sysmon)
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_2:
- EventID: 18
- SELECTION_3:
- PipeName: \PSEXESVC
- condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
-falsepositives:
-- unknown
-fields:
-- EventID
-- CommandLine
-- ParentCommandLine
-- ServiceName
-- ServiceFileName
-- TargetFilename
-- PipeName
-id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
-level: low
-logsource:
- category: pipe_created
- definition: Note that you have to configure logging for Named Pipe Events in Sysmon
- config (Event ID 17 and Event ID 18). The basic configuration is in popular
- sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
- it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
- https://github.com/olafhartong/sysmon-modular. How to test detection? You
- can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- product: windows
-modified: 2021/09/21
-references:
-- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
-- https://jpcertcc.github.io/ToolAnalysisResultSheet
-related:
-- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1035
-- attack.t1569.002
-- attack.s0029
-yml_filename: pipe_created_tool_psexec.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/powershell_accessing_win_api.yml b/rules/alert-rules/sigma/powershell_accessing_win_api.yml
deleted file mode 100644
index 848b7b7b..00000000
--- a/rules/alert-rules/sigma/powershell_accessing_win_api.yml
+++ /dev/null
@@ -1,128 +0,0 @@
-title: Accessing WinAPI in PowerShell
-author: Nikita Nazarov, oscd.community
-date: 2020/10/06
-description: Detecting use WinAPI Functions in PowerShell
-detection:
- SELECTION_1:
- ScriptBlockText: '*WaitForSingleObject*'
- SELECTION_10:
- ScriptBlockText: '*GetDelegateForFunctionPointer*'
- SELECTION_11:
- ScriptBlockText: '*CreateThread*'
- SELECTION_12:
- ScriptBlockText: '*memcpy*'
- SELECTION_13:
- ScriptBlockText: '*LoadLibrary*'
- SELECTION_14:
- ScriptBlockText: '*GetModuleHandle*'
- SELECTION_15:
- ScriptBlockText: '*GetProcAddress*'
- SELECTION_16:
- ScriptBlockText: '*VirtualProtect*'
- SELECTION_17:
- ScriptBlockText: '*FreeLibrary*'
- SELECTION_18:
- ScriptBlockText: '*ReadProcessMemory*'
- SELECTION_19:
- ScriptBlockText: '*CreateRemoteThread*'
- SELECTION_2:
- ScriptBlockText: '*QueueUserApc*'
- SELECTION_20:
- ScriptBlockText: '*AdjustTokenPrivileges*'
- SELECTION_21:
- ScriptBlockText: '*WriteByte*'
- SELECTION_22:
- ScriptBlockText: '*WriteInt32*'
- SELECTION_23:
- ScriptBlockText: '*OpenThreadToken*'
- SELECTION_24:
- ScriptBlockText: '*PtrToString*'
- SELECTION_25:
- ScriptBlockText: '*FreeHGlobal*'
- SELECTION_26:
- ScriptBlockText: '*ZeroFreeGlobalAllocUnicode*'
- SELECTION_27:
- ScriptBlockText: '*OpenProcessToken*'
- SELECTION_28:
- ScriptBlockText: '*GetTokenInformation*'
- SELECTION_29:
- ScriptBlockText: '*SetThreadToken*'
- SELECTION_3:
- ScriptBlockText: '*RtlCreateUserThread*'
- SELECTION_30:
- ScriptBlockText: '*ImpersonateLoggedOnUser*'
- SELECTION_31:
- ScriptBlockText: '*RevertToSelf*'
- SELECTION_32:
- ScriptBlockText: '*GetLogonSessionData*'
- SELECTION_33:
- ScriptBlockText: '*CreateProcessWithToken*'
- SELECTION_34:
- ScriptBlockText: '*DuplicateTokenEx*'
- SELECTION_35:
- ScriptBlockText: '*OpenWindowStation*'
- SELECTION_36:
- ScriptBlockText: '*OpenDesktop*'
- SELECTION_37:
- ScriptBlockText: '*MiniDumpWriteDump*'
- SELECTION_38:
- ScriptBlockText: '*AddSecurityPackage*'
- SELECTION_39:
- ScriptBlockText: '*EnumerateSecurityPackages*'
- SELECTION_4:
- ScriptBlockText: '*OpenProcess*'
- SELECTION_40:
- ScriptBlockText: '*GetProcessHandle*'
- SELECTION_41:
- ScriptBlockText: '*DangerousGetHandle*'
- SELECTION_42:
- ScriptBlockText: '*kernel32*'
- SELECTION_43:
- ScriptBlockText: '*Advapi32*'
- SELECTION_44:
- ScriptBlockText: '*msvcrt*'
- SELECTION_45:
- ScriptBlockText: '*ntdll*'
- SELECTION_46:
- ScriptBlockText: '*user32*'
- SELECTION_47:
- ScriptBlockText: '*secur32*'
- SELECTION_5:
- ScriptBlockText: '*VirtualAlloc*'
- SELECTION_6:
- ScriptBlockText: '*VirtualFree*'
- SELECTION_7:
- ScriptBlockText: '*WriteProcessMemory*'
- SELECTION_8:
- ScriptBlockText: '*CreateUserThread*'
- SELECTION_9:
- ScriptBlockText: '*CloseHandle*'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
- or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
- or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
- or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
- or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
- or SELECTION_46 or SELECTION_47)
-falsepositives:
-- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
-id: 03d83090-8cba-44a0-b02f-0b756a050306
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1106
-yml_filename: powershell_accessing_win_api.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_adrecon_execution.yml b/rules/alert-rules/sigma/powershell_adrecon_execution.yml
deleted file mode 100644
index 033a5ad5..00000000
--- a/rules/alert-rules/sigma/powershell_adrecon_execution.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: PowerShell ADRecon Execution
-author: Bhabesh Raj
-date: 2021/07/16
-description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been
- reported to be actively used by FIN7
-detection:
- SELECTION_1:
- ScriptBlockText: '*Function Get-ADRExcelComOb*'
- SELECTION_2:
- ScriptBlockText: '*ADRecon-Report.xlsx*'
- condition: (SELECTION_1 or SELECTION_2)
-falsepositives:
-- Unknown
-id: bf72941a-cba0-41ea-b18c-9aca3925690d
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/sense-of-security/ADRecon
-- https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
-status: experimental
-tags:
-- attack.discovery
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_adrecon_execution.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_alternate_powershell_hosts.yml b/rules/alert-rules/sigma/powershell_alternate_powershell_hosts.yml
deleted file mode 100644
index 46f47c38..00000000
--- a/rules/alert-rules/sigma/powershell_alternate_powershell_hosts.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Alternate PowerShell Hosts
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/08/11
-description: Detects alternate PowerShell hosts potentially bypassing detections looking
- for powershell.exe
-detection:
- SELECTION_1:
- ContextInfo: '*'
- SELECTION_2:
- ContextInfo: '*powershell.exe*'
- condition: (SELECTION_1 and not (SELECTION_2))
-falsepositives:
-- Programs using PowerShell directly without invocation of a dedicated interpreter
-- MSP Detection Searcher
-- Citrix ConfigSync.ps1
-id: 64e8e417-c19a-475a-8d19-98ea705394cc
-level: medium
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
-status: test
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_alternate_powershell_hosts.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_automated_collection.yml b/rules/alert-rules/sigma/powershell_automated_collection.yml
deleted file mode 100644
index 712a5a95..00000000
--- a/rules/alert-rules/sigma/powershell_automated_collection.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-title: Automated Collection Command PowerShell
-author: frack113
-date: 2021/07/28
-description: Once established within a system or network, an adversary may use automated
- techniques for collecting internal data.
-detection:
- SELECTION_1:
- ScriptBlockText: '*.doc*'
- SELECTION_10:
- ScriptBlockText: '*Get-ChildItem*'
- SELECTION_11:
- ScriptBlockText: '* -Recurse *'
- SELECTION_12:
- ScriptBlockText: '* -Include *'
- SELECTION_2:
- ScriptBlockText: '*.docx*'
- SELECTION_3:
- ScriptBlockText: '*.xls*'
- SELECTION_4:
- ScriptBlockText: '*.xlsx*'
- SELECTION_5:
- ScriptBlockText: '*.ppt*'
- SELECTION_6:
- ScriptBlockText: '*.pptx*'
- SELECTION_7:
- ScriptBlockText: '*.rtf*'
- SELECTION_8:
- ScriptBlockText: '*.pdf*'
- SELECTION_9:
- ScriptBlockText: '*.txt*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and SELECTION_10
- and SELECTION_11 and SELECTION_12)
-falsepositives:
-- Unknown
-id: c1dda054-d638-4c16-afc8-53e007f3fbc5
-level: medium
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
-status: experimental
-tags:
-- attack.collection
-- attack.t1119
-yml_filename: powershell_automated_collection.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_bad_opsec_artifacts.yml b/rules/alert-rules/sigma/powershell_bad_opsec_artifacts.yml
deleted file mode 100644
index f2dc7995..00000000
--- a/rules/alert-rules/sigma/powershell_bad_opsec_artifacts.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-title: Bad Opsec Powershell Code Artifacts
-author: ok @securonix invrep_de, oscd.community
-date: 2020/10/09
-description: Focuses on trivial artifacts observed in variants of prevalent offensive
- ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire,
- Powersploit, and other attack payloads that often undergo minimal changes by attackers
- due to bad opsec.
-detection:
- SELECTION_1:
- Payload: '*$DoIt*'
- SELECTION_2:
- Payload: '*harmj0y*'
- SELECTION_3:
- Payload: '*mattifestation*'
- SELECTION_4:
- Payload: '*_RastaMouse*'
- SELECTION_5:
- Payload: '*tifkin_*'
- SELECTION_6:
- Payload: '*0xdeadbeef*'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6)
-falsepositives:
-- Moderate-to-low; Despite the shorter length/lower entropy for some of these, because
- of high specificity, fp appears to be fairly limited in many environments.
-id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
-level: critical
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
-- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
-- https://www.mdeditor.tw/pl/pgRt
-related:
-- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_bad_opsec_artifacts.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_cl_invocation_lolscript.yml b/rules/alert-rules/sigma/powershell_cl_invocation_lolscript.yml
deleted file mode 100644
index 7af51b96..00000000
--- a/rules/alert-rules/sigma/powershell_cl_invocation_lolscript.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Execution via CL_Invocation.ps1
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
-detection:
- SELECTION_1:
- ScriptBlockText: '*CL_Invocation.ps1*'
- SELECTION_2:
- ScriptBlockText: '*SyncInvoke*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Unknown
-id: 4cd29327-685a-460e-9dac-c3ab96e549dc
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
-- https://twitter.com/bohops/status/948061991012327424
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1216
-yml_filename: powershell_cl_invocation_lolscript.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_cl_invocation_lolscript_count.yml b/rules/alert-rules/sigma/powershell_cl_invocation_lolscript_count.yml
deleted file mode 100644
index 4c16332f..00000000
--- a/rules/alert-rules/sigma/powershell_cl_invocation_lolscript_count.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Execution via CL_Invocation.ps1 (2 Lines)
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
-detection:
- SELECTION_1:
- ScriptBlockText: '*CL_Invocation.ps1*'
- SELECTION_2:
- ScriptBlockText: '*SyncInvoke*'
- condition: (SELECTION_1 or SELECTION_2)| count(ScriptBlockText) by Computer >
- 2
-falsepositives:
-- Unknown
-id: f588e69b-0750-46bb-8f87-0e9320d57536
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
-- https://twitter.com/bohops/status/948061991012327424
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1216
-yml_filename: powershell_cl_invocation_lolscript_count.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_cl_mutexverifiers_lolscript.yml b/rules/alert-rules/sigma/powershell_cl_mutexverifiers_lolscript.yml
deleted file mode 100644
index 37e1d28a..00000000
--- a/rules/alert-rules/sigma/powershell_cl_mutexverifiers_lolscript.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Execution via CL_Mutexverifiers.ps1
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
- module
-detection:
- SELECTION_1:
- ScriptBlockText: '*CL_Mutexverifiers.ps1*'
- SELECTION_2:
- ScriptBlockText: '*runAfterCancelProcess*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Unknown
-id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
-- https://twitter.com/pabraeken/status/995111125447577600
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1216
-yml_filename: powershell_cl_mutexverifiers_lolscript.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/alert-rules/sigma/powershell_cl_mutexverifiers_lolscript_count.yml
deleted file mode 100644
index 64989927..00000000
--- a/rules/alert-rules/sigma/powershell_cl_mutexverifiers_lolscript_count.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
- module
-detection:
- SELECTION_1:
- ScriptBlockText: '*CL_Mutexverifiers.ps1*'
- SELECTION_2:
- ScriptBlockText: '*runAfterCancelProcess*'
- condition: (SELECTION_1 or SELECTION_2)| count(ScriptBlockText) by Computer >
- 2
-falsepositives:
-- Unknown
-id: 6609c444-9670-4eab-9636-fe4755a851ce
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
-- https://twitter.com/pabraeken/status/995111125447577600
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1216
-yml_filename: powershell_cl_mutexverifiers_lolscript_count.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_classic_alternate_powershell_hosts.yml b/rules/alert-rules/sigma/powershell_classic_alternate_powershell_hosts.yml
deleted file mode 100644
index 504373f3..00000000
--- a/rules/alert-rules/sigma/powershell_classic_alternate_powershell_hosts.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Alternate PowerShell Hosts
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/08/11
-description: Detects alternate PowerShell hosts potentially bypassing detections looking
- for powershell.exe
-detection:
- SELECTION_1:
- HostApplication: '*'
- SELECTION_2:
- HostApplication: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
- condition: (SELECTION_1 and not (SELECTION_2))
-falsepositives:
-- Programs using PowerShell directly without invocation of a dedicated interpreter
-- MSP Detection Searcher
-- Citrix ConfigSync.ps1
-id: d7326048-328b-4d5e-98af-86e84b17c765
-level: medium
-logsource:
- category: ps_classic_start
- definition: fields have to be extract from event
- product: windows
-modified: 2021/10/16
-references:
-- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
-related:
-- id: 64e8e417-c19a-475a-8d19-98ea705394cc
- type: derived
-status: test
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_classic_alternate_powershell_hosts.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/powershell_classic_powercat.yml b/rules/alert-rules/sigma/powershell_classic_powercat.yml
deleted file mode 100644
index da27307a..00000000
--- a/rules/alert-rules/sigma/powershell_classic_powercat.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Netcat The Powershell Version
-author: frack113
-date: 2021/07/21
-description: Adversaries may use a non-application layer protocol for communication
- between host and C2 server or among infected hosts within a network
-detection:
- SELECTION_1:
- HostApplication: '*powercat *'
- SELECTION_2:
- HostApplication: '*powercat.ps1*'
- condition: (SELECTION_1 or SELECTION_2)
-falsepositives:
-- Unknown
-id: c5b20776-639a-49bf-94c7-84f912b91c15
-level: medium
-logsource:
- category: ps_classic_start
- definition: fields have to be extract from event
- product: windows
-modified: 2021/10/16
-references:
-- https://nmap.org/ncat/
-- https://github.com/besimorhino/powercat
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
-related:
-- id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
- type: derived
-status: experimental
-tags:
-- attack.command_and_control
-- attack.t1095
-yml_filename: powershell_classic_powercat.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/powershell_classic_remote_powershell_session.yml b/rules/alert-rules/sigma/powershell_classic_remote_powershell_session.yml
deleted file mode 100644
index af094c9b..00000000
--- a/rules/alert-rules/sigma/powershell_classic_remote_powershell_session.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Remote PowerShell Session
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/08/10
-description: Detects remote PowerShell sessions
-detection:
- SELECTION_1:
- HostName: ServerRemoteHost
- SELECTION_2:
- HostApplication: '*wsmprovhost.exe*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Legitimate use remote PowerShell sessions
-id: 60167e5c-84b2-4c95-a7ac-86281f27c445
-level: high
-logsource:
- category: ps_classic_start
- definition: fields have to be extract from event
- product: windows
-modified: 2021/10/16
-references:
-- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
-related:
-- id: 96b9f619-aa91-478f-bacb-c3e50f8df575
- type: derived
-status: test
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-- attack.lateral_movement
-- attack.t1021.006
-- attack.t1028
-yml_filename: powershell_classic_remote_powershell_session.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/powershell_classic_susp_athremotefxvgpudisablementcommand.yml b/rules/alert-rules/sigma/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
deleted file mode 100644
index 76dcf008..00000000
--- a/rules/alert-rules/sigma/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
-author: frack113
-date: 2021/07/13
-description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
- that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
-detection:
- SELECTION_1:
- HostApplication: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
- SELECTION_2:
- HostApplication: '*-ModuleName *'
- SELECTION_3:
- HostApplication: '*-ModulePath *'
- SELECTION_4:
- HostApplication: '*-ScriptBlock *'
- SELECTION_5:
- HostApplication: '*-RemoteFXvGPUDisablementFilePath*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5))
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: f65e22f9-819e-4f96-9c7b-498364ae7a25
-level: medium
-logsource:
- definition: fields have to be extract from event
- product: windows
- service: powershell-classic
-modified: 2021/09/07
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
-- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
-related:
-- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: powershell_classic_susp_athremotefxvgpudisablementcommand.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/powershell_classic_susp_zip_compress.yml b/rules/alert-rules/sigma/powershell_classic_susp_zip_compress.yml
deleted file mode 100644
index b0f2efef..00000000
--- a/rules/alert-rules/sigma/powershell_classic_susp_zip_compress.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Zip A Folder With PowerShell For Staging In Temp
-author: frack113
-date: 2021/07/20
-description: Use living off the land tools to zip a file and stage it in the Windows
- temporary folder for later exfiltration
-detection:
- SELECTION_1:
- HostApplication: '*Compress-Archive *'
- SELECTION_2:
- HostApplication: '* -Path *'
- SELECTION_3:
- HostApplication: '* -DestinationPath *'
- SELECTION_4:
- HostApplication: '*$env:TEMP\\*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-id: 71ff406e-b633-4989-96ec-bc49d825a412
-level: medium
-logsource:
- definition: fields have to be extract from event
- product: windows
- service: powershell-classic
-modified: 2021/09/07
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
-related:
-- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
- type: derived
-status: experimental
-tags:
-- attack.collection
-- attack.t1074.001
-yml_filename: powershell_classic_susp_zip_compress.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/powershell_classic_suspicious_download.yml b/rules/alert-rules/sigma/powershell_classic_suspicious_download.yml
deleted file mode 100644
index c3689974..00000000
--- a/rules/alert-rules/sigma/powershell_classic_suspicious_download.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Suspicious PowerShell Download
-author: Florian Roth
-date: 2017/03/05
-description: Detects suspicious PowerShell download command
-detection:
- SELECTION_1:
- HostApplication: '*System.Net.WebClient*'
- SELECTION_2:
- HostApplication: '*.DownloadFile(*'
- SELECTION_3:
- HostApplication: '*.DownloadString(*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- PowerShell scripts that download content from the Internet
-id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
-level: medium
-logsource:
- category: ps_classic_start
- definition: fields have to be extract from event
- product: windows
-modified: 2021/10/16
-related:
-- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_classic_suspicious_download.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/powershell_clear_powershell_history.yml b/rules/alert-rules/sigma/powershell_clear_powershell_history.yml
deleted file mode 100644
index 98c8487c..00000000
--- a/rules/alert-rules/sigma/powershell_clear_powershell_history.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: Clear PowerShell History
-author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-date: 2019/10/25
-description: Detects keywords that could indicate clearing PowerShell history
-detection:
- SELECTION_1:
- Payload: '*del*'
- SELECTION_2:
- Payload: '*Remove-Item*'
- SELECTION_3:
- Payload: '*rm*'
- SELECTION_4:
- Payload: '*(Get-PSReadlineOption).HistorySavePath*'
- SELECTION_5:
- Payload: '*Set-PSReadlineOption*'
- SELECTION_6:
- Payload: "*\u2013HistorySaveStyle*"
- SELECTION_7:
- Payload: '*SaveNothing*'
- condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4) or (SELECTION_5
- and SELECTION_6 and SELECTION_7))
-falsepositives:
-- Legitimate PowerShell scripts
-id: f99276ad-d122-4989-a09a-d00904a5f9d2
-level: medium
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
-related:
-- id: dfba4ce1-e0ea-495f-986e-97140f31af2d
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1070.003
-- attack.t1146
-yml_filename: powershell_clear_powershell_history.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_create_local_user.yml b/rules/alert-rules/sigma/powershell_create_local_user.yml
deleted file mode 100644
index 2229601b..00000000
--- a/rules/alert-rules/sigma/powershell_create_local_user.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: PowerShell Create Local User
-author: '@ROxPinTeddy'
-date: 2020/04/11
-description: Detects creation of a local user via PowerShell
-detection:
- SELECTION_1:
- ScriptBlockText: '*New-LocalUser*'
- condition: SELECTION_1
-falsepositives:
-- Legitimate user creation
-id: 243de76f-4725-4f2e-8225-a8a69b15ad61
-level: medium
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-- attack.persistence
-- attack.t1136.001
-- attack.t1136
-yml_filename: powershell_create_local_user.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_data_compressed.yml b/rules/alert-rules/sigma/powershell_data_compressed.yml
deleted file mode 100644
index ce04734d..00000000
--- a/rules/alert-rules/sigma/powershell_data_compressed.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Data Compressed - PowerShell
-author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
-description: An adversary may compress data (e.g., sensitive documents) that is collected
- prior to exfiltration in order to make it portable and minimize the amount of
- data sent over the network.
-detection:
- SELECTION_1:
- ScriptBlockText: '*-Recurse*'
- SELECTION_2:
- ScriptBlockText: '*|*'
- SELECTION_3:
- ScriptBlockText: '*Compress-Archive*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Highly likely if archive operations are done via PowerShell.
-id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
-level: low
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
-status: experimental
-tags:
-- attack.exfiltration
-- attack.t1560
-- attack.t1002
-yml_filename: powershell_data_compressed.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_decompress_commands.yml b/rules/alert-rules/sigma/powershell_decompress_commands.yml
deleted file mode 100644
index 98431249..00000000
--- a/rules/alert-rules/sigma/powershell_decompress_commands.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: PowerShell Decompress Commands
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A General detection for specific decompress commands in PowerShell logs.
- This could be an adversary decompressing files.
-detection:
- SELECTION_1:
- Payload: '*Expand-Archive*'
- condition: SELECTION_1
-falsepositives:
-- unknown
-id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
-level: informational
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/OTRF/detection-hackathon-apt29/issues/8
-- https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html
-related:
-- id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1140
-yml_filename: powershell_decompress_commands.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_delete_volume_shadow_copies.yml b/rules/alert-rules/sigma/powershell_delete_volume_shadow_copies.yml
deleted file mode 100644
index 01c0c02c..00000000
--- a/rules/alert-rules/sigma/powershell_delete_volume_shadow_copies.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Delete Volume Shadow Copies Via WMI With PowerShell
-author: frack113
-date: 2021/06/03
-description: Shadow Copies deletion using operating systems utilities via PowerShell
-detection:
- SELECTION_1:
- HostApplication: '*Get-WmiObject*'
- SELECTION_2:
- HostApplication: '* Win32_Shadowcopy*'
- SELECTION_3:
- HostApplication: '*Delete()*'
- SELECTION_4:
- HostApplication: '*Remove-WmiObject*'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- Legitimate Administrator deletes Shadow Copies using operating systems utilities
- for legitimate reason
-fields:
-- HostApplication
-id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
-level: critical
-logsource:
- category: ps_classic_start
- definition: fields have to be extract from event
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
-- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
-- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
-status: experimental
-tags:
-- attack.impact
-- attack.t1490
-yml_filename: powershell_delete_volume_shadow_copies.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/powershell_detect_vm_env.yml b/rules/alert-rules/sigma/powershell_detect_vm_env.yml
deleted file mode 100644
index 7dbc4d06..00000000
--- a/rules/alert-rules/sigma/powershell_detect_vm_env.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Powershell Detect Virtualization Environment
-author: frack113
-date: 2021/08/03
-description: Adversaries may employ various system checks to detect and avoid virtualization
- and analysis environments. This may include changing behaviors based on the results
- of checks for the presence of artifacts indicative of a virtual machine environment
- (VME) or sandbox
-detection:
- SELECTION_1:
- ScriptBlockText: '*Get-WmiObject*'
- SELECTION_2:
- ScriptBlockText: '*MSAcpi_ThermalZoneTemperature*'
- SELECTION_3:
- ScriptBlockText: '*Win32_ComputerSystem*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Unknown
-id: d93129cd-1ee0-479f-bc03-ca6f129882e3
-level: medium
-logsource:
- category: ps_script
- definition: EnableScriptBlockLogging must be set to enable
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
-- https://techgenix.com/malicious-powershell-scripts-evade-detection/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1497.001
-yml_filename: powershell_detect_vm_env.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_dnscat_execution.yml b/rules/alert-rules/sigma/powershell_dnscat_execution.yml
deleted file mode 100644
index 6c28f97d..00000000
--- a/rules/alert-rules/sigma/powershell_dnscat_execution.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Dnscat Execution
-author: Daniil Yugoslavskiy, oscd.community
-date: 2019/10/24
-description: Dnscat exfiltration tool execution
-detection:
- SELECTION_1:
- ScriptBlockText: '*Start-Dnscat2*'
- condition: SELECTION_1
-falsepositives:
-- "Legitimate usage of PowerShell Dnscat2 \u2014 DNS Exfiltration tool (unlikely)"
-id: a6d67db4-6220-436d-8afc-f3842fe05d43
-level: critical
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-status: experimental
-tags:
-- attack.exfiltration
-- attack.t1048
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_dnscat_execution.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_downgrade_attack.yml b/rules/alert-rules/sigma/powershell_downgrade_attack.yml
deleted file mode 100644
index 34949587..00000000
--- a/rules/alert-rules/sigma/powershell_downgrade_attack.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: PowerShell Downgrade Attack
-author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
-date: 2017/03/22
-description: Detects PowerShell downgrade attack by comparing the host versions with
- the actually used engine version 2.0
-detection:
- SELECTION_1:
- EngineVersion: 2.*
- SELECTION_2:
- HostVersion: 2.*
- condition: (SELECTION_1 and not (SELECTION_2))
-falsepositives:
-- Penetration Test
-- Unknown
-id: 6331d09b-4785-4c13-980f-f96661356249
-level: medium
-logsource:
- category: ps_classic_start
- definition: fields have to be extract from event
- product: windows
-modified: 2021/10/16
-references:
-- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_downgrade_attack.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/powershell_exe_calling_ps.yml b/rules/alert-rules/sigma/powershell_exe_calling_ps.yml
deleted file mode 100644
index 6758d2bc..00000000
--- a/rules/alert-rules/sigma/powershell_exe_calling_ps.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: PowerShell Called from an Executable Version Mismatch
-author: Sean Metcalf (source), Florian Roth (rule)
-date: 2017/03/05
-description: Detects PowerShell called from an executable by the version mismatch
- method
-detection:
- SELECTION_1:
- EngineVersion: 2.*
- SELECTION_2:
- EngineVersion: 4.*
- SELECTION_3:
- EngineVersion: 5.*
- SELECTION_4:
- HostVersion: 3.*
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- Penetration Tests
-- Unknown
-id: c70e019b-1479-4b65-b0cc-cd0c6093a599
-level: high
-logsource:
- category: ps_classic_start
- definition: fields have to be extract from event
- product: windows
-modified: 2021/10/16
-references:
-- https://adsecurity.org/?p=2921
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_exe_calling_ps.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/powershell_get_clipboard.yml b/rules/alert-rules/sigma/powershell_get_clipboard.yml
deleted file mode 100644
index 9e5bc34f..00000000
--- a/rules/alert-rules/sigma/powershell_get_clipboard.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: PowerShell Get Clipboard
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A General detection for the Get-Clipboard commands in PowerShell logs.
- This could be an adversary capturing clipboard contents.
-detection:
- SELECTION_1:
- Payload: '*Get-Clipboard*'
- condition: SELECTION_1
-falsepositives:
-- unknown
-id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
-level: medium
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/OTRF/detection-hackathon-apt29/issues/16
-- https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
-related:
-- id: 5486f63a-aa4c-488d-9a61-c9192853099f
- type: derived
-status: experimental
-tags:
-- attack.collection
-- attack.t1115
-yml_filename: powershell_get_clipboard.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_icmp_exfiltration.yml b/rules/alert-rules/sigma/powershell_icmp_exfiltration.yml
deleted file mode 100644
index 98e90478..00000000
--- a/rules/alert-rules/sigma/powershell_icmp_exfiltration.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: PowerShell ICMP Exfiltration
-author: Bartlomiej Czyz @bczyz1, oscd.community
-date: 2020/10/10
-description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may
- steal data by exfiltrating it over an un-encrypted network protocol other than
- that of the existing command and control channel.
-detection:
- SELECTION_1:
- ScriptBlockText: '*New-Object*'
- SELECTION_2:
- ScriptBlockText: '*System.Net.NetworkInformation.Ping*'
- SELECTION_3:
- ScriptBlockText: '*.Send(*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Legitimate usage of System.Net.NetworkInformation.Ping class
-id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
-level: medium
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
-status: experimental
-tags:
-- attack.exfiltration
-- attack.t1048.003
-yml_filename: powershell_icmp_exfiltration.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_nightmare.yml b/rules/alert-rules/sigma/powershell_invoke_nightmare.yml
deleted file mode 100644
index 45af2c7c..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_nightmare.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: PrintNightmare Powershell Exploitation
-author: Max Altgelt, Tobias Michalski
-date: 2021/08/09
-description: Detects Commandlet name for PrintNightmare exploitation.
-detection:
- SELECTION_1:
- ScriptBlockText: '*Invoke-Nightmare*'
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
-level: high
-logsource:
- category: ps_script
- definition: Script Block Logging must be enable
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/calebstewart/CVE-2021-1675
-status: test
-tags:
-- attack.privilege_escalation
-yml_filename: powershell_invoke_nightmare.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_clip.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_clip.yml
deleted file mode 100644
index 5f0639e8..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_clip.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Invoke-Obfuscation CLIP+ Launcher
-author: Jonathan Cheong, oscd.community
-date: 2020/10/13
-description: Detects Obfuscated use of Clip.exe to execute PowerShell
-detection:
- SELECTION_1:
- Payload|re: .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
-level: high
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-related:
-- id: 73e67340-0d25-11eb-adc1-0242ac120002
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_clip.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
deleted file mode 100644
index f210c0a5..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Invoke-Obfuscation CLIP+ Launcher
-author: Jonathan Cheong, oscd.community
-date: 2020/10/13
-description: Detects Obfuscated use of Clip.exe to execute PowerShell
-detection:
- SELECTION_1:
- ScriptBlockText|re: .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: 73e67340-0d25-11eb-adc1-0242ac120002
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_obfuscated_iex.yml
deleted file mode 100644
index 1a8efc0f..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_obfuscated_iex.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Invoke-Obfuscation Obfuscated IEX Invocation
-author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
-date: 2019/11/08
-description: "Detects all variations of obfuscated powershell IEX invocation code\
- \ generated by Invoke-Obfuscation framework from the following code block \u2014\
- \ https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
-detection:
- SELECTION_1:
- Payload|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
- SELECTION_2:
- Payload|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
- SELECTION_3:
- Payload|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
- SELECTION_4:
- Payload|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
- SELECTION_5:
- Payload|re: \\\\*mdr\\\\*\W\s*\)\.Name
- SELECTION_6:
- Payload|re: \$VerbosePreference\.ToString\(
- SELECTION_7:
- Payload|re: \String\]\s*\$VerbosePreference
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7)
-falsepositives:
-- Unknown
-id: 2f211361-7dce-442d-b78a-c04039677378
-level: high
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-related:
-- id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_invoke_obfuscation_obfuscated_iex.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
deleted file mode 100644
index 5cf8147d..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Invoke-Obfuscation Obfuscated IEX Invocation
-author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
-date: 2019/11/08
-description: "Detects all variations of obfuscated powershell IEX invocation code\
- \ generated by Invoke-Obfuscation framework from the following code block \u2014\
- \ https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
-detection:
- SELECTION_1:
- ScriptBlockText|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
- SELECTION_2:
- ScriptBlockText|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
- SELECTION_3:
- ScriptBlockText|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
- SELECTION_4:
- ScriptBlockText|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
- SELECTION_5:
- ScriptBlockText|re: \\\\*mdr\\\\*\W\s*\)\.Name
- SELECTION_6:
- ScriptBlockText|re: \$VerbosePreference\.ToString\(
- SELECTION_7:
- ScriptBlockText|re: \String\]\s*\$VerbosePreference
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7)
-falsepositives:
-- Unknown
-id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_stdin.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_stdin.yml
deleted file mode 100644
index 7a414116..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_stdin.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Invoke-Obfuscation STDIN+ Launcher
-author: Jonathan Cheong, oscd.community
-date: 2020/10/15
-description: Detects Obfuscated use of stdin to execute PowerShell
-detection:
- SELECTION_1:
- Payload|re: .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
-level: high
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-related:
-- id: 779c8c12-0eb1-11eb-adc1-0242ac120002
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_stdin.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
deleted file mode 100644
index c9d55d6b..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Invoke-Obfuscation STDIN+ Launcher
-author: Jonathan Cheong, oscd.community
-date: 2020/10/15
-description: Detects Obfuscated use of stdin to execute PowerShell
-detection:
- SELECTION_1:
- ScriptBlockText|re: .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: 779c8c12-0eb1-11eb-adc1-0242ac120002
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_var.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_var.yml
deleted file mode 100644
index ffc537f6..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_var.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Invoke-Obfuscation VAR+ Launcher
-author: Jonathan Cheong, oscd.community
-date: 2020/10/15
-description: Detects Obfuscated use of Environment Variables to execute PowerShell
-detection:
- SELECTION_1:
- Payload|re: .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
-level: high
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-related:
-- id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_var.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_var_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
deleted file mode 100644
index 857c540d..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Invoke-Obfuscation VAR+ Launcher
-author: Jonathan Cheong, oscd.community
-date: 2020/10/15
-description: Detects Obfuscated use of Environment Variables to execute PowerShell
-detection:
- SELECTION_1:
- ScriptBlockText|re: .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_var_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_compress.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_compress.yml
deleted file mode 100644
index 278d7d3b..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_compress.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Invoke-Obfuscation COMPRESS OBFUSCATION
-author: Timur Zinniatullin, oscd.community
-date: 2020/10/18
-description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
-detection:
- SELECTION_1:
- Payload|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
- condition: SELECTION_1
-falsepositives:
-- unknown
-id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
-level: medium
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-related:
-- id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_compress.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
deleted file mode 100644
index 1f32ddc1..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Invoke-Obfuscation COMPRESS OBFUSCATION
-author: Timur Zinniatullin, oscd.community
-date: 2020/10/18
-description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
-detection:
- SELECTION_1:
- ScriptBlockText|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
- condition: SELECTION_1
-falsepositives:
-- unknown
-id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
-level: medium
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_rundll.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_rundll.yml
deleted file mode 100644
index ac22c48f..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_rundll.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Invoke-Obfuscation RUNDLL LAUNCHER
-author: Timur Zinniatullin, oscd.community
-date: 2020/10/18
-description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
-detection:
- SELECTION_1:
- Payload|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: a23791fe-8846-485a-b16b-ca691e1b03d4
-level: medium
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-related:
-- id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_rundll.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
deleted file mode 100644
index ef0a7e1c..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Invoke-Obfuscation RUNDLL LAUNCHER
-author: Timur Zinniatullin, oscd.community
-date: 2020/10/18
-description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
-detection:
- SELECTION_1:
- ScriptBlockText|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
-level: medium
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_stdin.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_stdin.yml
deleted file mode 100644
index 743bc3ae..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_stdin.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Invoke-Obfuscation Via Stdin
-author: Nikita Nazarov, oscd.community
-date: 2020/10/12
-description: Detects Obfuscated Powershell via Stdin in Scripts
-detection:
- SELECTION_1:
- Payload|re: (?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
-level: high
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-related:
-- id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_stdin.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
deleted file mode 100644
index fcf1d15b..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Invoke-Obfuscation Via Stdin
-author: Nikita Nazarov, oscd.community
-date: 2020/10/12
-description: Detects Obfuscated Powershell via Stdin in Scripts
-detection:
- SELECTION_1:
- ScriptBlockText|re: (?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_clip.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_clip.yml
deleted file mode 100644
index 962c8b96..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_clip.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Invoke-Obfuscation Via Use Clip
-author: Nikita Nazarov, oscd.community
-date: 2020/10/09
-description: Detects Obfuscated Powershell via use Clip.exe in Scripts
-detection:
- SELECTION_1:
- Payload|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
-level: high
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-related:
-- id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_use_clip.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
deleted file mode 100644
index 2f99abf5..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Invoke-Obfuscation Via Use Clip
-author: Nikita Nazarov, oscd.community
-date: 2020/10/09
-description: Detects Obfuscated Powershell via use Clip.exe in Scripts
-detection:
- SELECTION_1:
- ScriptBlockText|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_mhsta.yml
deleted file mode 100644
index 42140d36..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_mhsta.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Invoke-Obfuscation Via Use MSHTA
-author: Nikita Nazarov, oscd.community
-date: 2020/10/08
-description: Detects Obfuscated Powershell via use MSHTA in Scripts
-detection:
- SELECTION_1:
- Payload|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
-level: high
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabledd
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-related:
-- id: e55a5195-4724-480e-a77e-3ebe64bd3759
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_use_mhsta.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
deleted file mode 100644
index 50845bd3..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Invoke-Obfuscation Via Use MSHTA
-author: Nikita Nazarov, oscd.community
-date: 2020/10/08
-description: Detects Obfuscated Powershell via use MSHTA in Scripts
-detection:
- SELECTION_1:
- ScriptBlockText|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: e55a5195-4724-480e-a77e-3ebe64bd3759
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_rundll32.yml
deleted file mode 100644
index debbde46..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_rundll32.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Invoke-Obfuscation Via Use Rundll32
-author: Nikita Nazarov, oscd.community
-date: 2019/10/08
-description: Detects Obfuscated Powershell via use Rundll32 in Scripts
-detection:
- SELECTION_1:
- Payload|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
-level: high
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-related:
-- id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_use_rundll32.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
deleted file mode 100644
index 972e42ae..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Invoke-Obfuscation Via Use Rundll32
-author: Nikita Nazarov, oscd.community
-date: 2019/10/08
-description: Detects Obfuscated Powershell via use Rundll32 in Scripts
-detection:
- SELECTION_1:
- ScriptBlockText|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_var.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_var.yml
deleted file mode 100644
index b834a0a2..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_var.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
-author: Timur Zinniatullin, oscd.community
-date: 2020/10/13
-description: Detects Obfuscated Powershell via VAR++ LAUNCHER
-detection:
- SELECTION_1:
- Payload|re: (?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
-level: high
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabledd
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-related:
-- id: e54f5149-6ba3-49cf-b153-070d24679126
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_var.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
deleted file mode 100644
index d9d213d5..00000000
--- a/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
-author: Timur Zinniatullin, oscd.community
-date: 2020/10/13
-description: Detects Obfuscated Powershell via VAR++ LAUNCHER
-detection:
- SELECTION_1:
- ScriptBlockText|re: (?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: e54f5149-6ba3-49cf-b153-070d24679126
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Neo23x0/sigma/issues/1009
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_keylogging.yml b/rules/alert-rules/sigma/powershell_keylogging.yml
deleted file mode 100644
index 8d021052..00000000
--- a/rules/alert-rules/sigma/powershell_keylogging.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Powershell Keylogging
-author: frack113
-date: 2021/07/30
-description: Adversaries may log user keystrokes to intercept credentials as the user
- types them.
-detection:
- SELECTION_1:
- ScriptBlockText: '*Get-Keystrokes*'
- SELECTION_2:
- ScriptBlockText: '*Get-ProcAddress user32.dll GetAsyncKeyState*'
- SELECTION_3:
- ScriptBlockText: '*Get-ProcAddress user32.dll GetForegroundWindow*'
- condition: (SELECTION_1 or (SELECTION_2 and SELECTION_3))
-falsepositives:
-- Unknown
-id: 34f90d3c-c297-49e9-b26d-911b05a4866c
-level: medium
-logsource:
- category: ps_script
- definition: EnableScriptBlockLogging must be set to enable
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1
-status: experimental
-tags:
-- attack.collection
-- attack.t1056.001
-yml_filename: powershell_keylogging.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_malicious_commandlets.yml b/rules/alert-rules/sigma/powershell_malicious_commandlets.yml
deleted file mode 100644
index 36f32def..00000000
--- a/rules/alert-rules/sigma/powershell_malicious_commandlets.yml
+++ /dev/null
@@ -1,237 +0,0 @@
-title: Malicious PowerShell Commandlets
-author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update),
- oscd.community (update)
-date: 2017/03/05
-description: Detects Commandlet names from well-known PowerShell exploitation frameworks
-detection:
- SELECTION_1:
- ScriptBlockText: '*Invoke-DllInjection*'
- SELECTION_10:
- ScriptBlockText: '*Invoke-NinjaCopy*'
- SELECTION_11:
- ScriptBlockText: '*Invoke-TokenManipulation*'
- SELECTION_12:
- ScriptBlockText: '*Out-Minidump*'
- SELECTION_13:
- ScriptBlockText: '*VolumeShadowCopyTools*'
- SELECTION_14:
- ScriptBlockText: '*Invoke-ReflectivePEInjection*'
- SELECTION_15:
- ScriptBlockText: '*Invoke-UserHunter*'
- SELECTION_16:
- ScriptBlockText: '*Find-GPOLocation*'
- SELECTION_17:
- ScriptBlockText: '*Invoke-ACLScanner*'
- SELECTION_18:
- ScriptBlockText: '*Invoke-DowngradeAccount*'
- SELECTION_19:
- ScriptBlockText: '*Get-ServiceUnquoted*'
- SELECTION_2:
- ScriptBlockText: '*Invoke-Shellcode*'
- SELECTION_20:
- ScriptBlockText: '*Get-ServiceFilePermission*'
- SELECTION_21:
- ScriptBlockText: '*Get-ServicePermission*'
- SELECTION_22:
- ScriptBlockText: '*Invoke-ServiceAbuse*'
- SELECTION_23:
- ScriptBlockText: '*Install-ServiceBinary*'
- SELECTION_24:
- ScriptBlockText: '*Get-RegAutoLogon*'
- SELECTION_25:
- ScriptBlockText: '*Get-VulnAutoRun*'
- SELECTION_26:
- ScriptBlockText: '*Get-VulnSchTask*'
- SELECTION_27:
- ScriptBlockText: '*Get-UnattendedInstallFile*'
- SELECTION_28:
- ScriptBlockText: '*Get-ApplicationHost*'
- SELECTION_29:
- ScriptBlockText: '*Get-RegAlwaysInstallElevated*'
- SELECTION_3:
- ScriptBlockText: '*Invoke-WmiCommand*'
- SELECTION_30:
- ScriptBlockText: '*Get-Unconstrained*'
- SELECTION_31:
- ScriptBlockText: '*Add-RegBackdoor*'
- SELECTION_32:
- ScriptBlockText: '*Add-ScrnSaveBackdoor*'
- SELECTION_33:
- ScriptBlockText: '*Gupt-Backdoor*'
- SELECTION_34:
- ScriptBlockText: '*Invoke-ADSBackdoor*'
- SELECTION_35:
- ScriptBlockText: '*Enabled-DuplicateToken*'
- SELECTION_36:
- ScriptBlockText: '*Invoke-PsUaCme*'
- SELECTION_37:
- ScriptBlockText: '*Remove-Update*'
- SELECTION_38:
- ScriptBlockText: '*Check-VM*'
- SELECTION_39:
- ScriptBlockText: '*Get-LSASecret*'
- SELECTION_4:
- ScriptBlockText: '*Get-GPPPassword*'
- SELECTION_40:
- ScriptBlockText: '*Get-PassHashes*'
- SELECTION_41:
- ScriptBlockText: '*Show-TargetScreen*'
- SELECTION_42:
- ScriptBlockText: '*Port-Scan*'
- SELECTION_43:
- ScriptBlockText: '*Invoke-PoshRatHttp*'
- SELECTION_44:
- ScriptBlockText: '*Invoke-PowerShellTCP*'
- SELECTION_45:
- ScriptBlockText: '*Invoke-PowerShellWMI*'
- SELECTION_46:
- ScriptBlockText: '*Add-Exfiltration*'
- SELECTION_47:
- ScriptBlockText: '*Add-Persistence*'
- SELECTION_48:
- ScriptBlockText: '*Do-Exfiltration*'
- SELECTION_49:
- ScriptBlockText: '*Start-CaptureServer*'
- SELECTION_5:
- ScriptBlockText: '*Get-Keystrokes*'
- SELECTION_50:
- ScriptBlockText: '*Get-ChromeDump*'
- SELECTION_51:
- ScriptBlockText: '*Get-ClipboardContents*'
- SELECTION_52:
- ScriptBlockText: '*Get-FoxDump*'
- SELECTION_53:
- ScriptBlockText: '*Get-IndexedItem*'
- SELECTION_54:
- ScriptBlockText: '*Get-Screenshot*'
- SELECTION_55:
- ScriptBlockText: '*Invoke-Inveigh*'
- SELECTION_56:
- ScriptBlockText: '*Invoke-NetRipper*'
- SELECTION_57:
- ScriptBlockText: '*Invoke-EgressCheck*'
- SELECTION_58:
- ScriptBlockText: '*Invoke-PostExfil*'
- SELECTION_59:
- ScriptBlockText: '*Invoke-PSInject*'
- SELECTION_6:
- ScriptBlockText: '*Get-TimedScreenshot*'
- SELECTION_60:
- ScriptBlockText: '*Invoke-RunAs*'
- SELECTION_61:
- ScriptBlockText: '*MailRaider*'
- SELECTION_62:
- ScriptBlockText: '*New-HoneyHash*'
- SELECTION_63:
- ScriptBlockText: '*Set-MacAttribute*'
- SELECTION_64:
- ScriptBlockText: '*Invoke-DCSync*'
- SELECTION_65:
- ScriptBlockText: '*Invoke-PowerDump*'
- SELECTION_66:
- ScriptBlockText: '*Exploit-Jboss*'
- SELECTION_67:
- ScriptBlockText: '*Invoke-ThunderStruck*'
- SELECTION_68:
- ScriptBlockText: '*Invoke-VoiceTroll*'
- SELECTION_69:
- ScriptBlockText: '*Set-Wallpaper*'
- SELECTION_7:
- ScriptBlockText: '*Get-VaultCredential*'
- SELECTION_70:
- ScriptBlockText: '*Invoke-InveighRelay*'
- SELECTION_71:
- ScriptBlockText: '*Invoke-PsExec*'
- SELECTION_72:
- ScriptBlockText: '*Invoke-SSHCommand*'
- SELECTION_73:
- ScriptBlockText: '*Get-SecurityPackages*'
- SELECTION_74:
- ScriptBlockText: '*Install-SSP*'
- SELECTION_75:
- ScriptBlockText: '*Invoke-BackdoorLNK*'
- SELECTION_76:
- ScriptBlockText: '*PowerBreach*'
- SELECTION_77:
- ScriptBlockText: '*Get-SiteListPassword*'
- SELECTION_78:
- ScriptBlockText: '*Get-System*'
- SELECTION_79:
- ScriptBlockText: '*Invoke-BypassUAC*'
- SELECTION_8:
- ScriptBlockText: '*Invoke-CredentialInjection*'
- SELECTION_80:
- ScriptBlockText: '*Invoke-Tater*'
- SELECTION_81:
- ScriptBlockText: '*Invoke-WScriptBypassUAC*'
- SELECTION_82:
- ScriptBlockText: '*PowerUp*'
- SELECTION_83:
- ScriptBlockText: '*PowerView*'
- SELECTION_84:
- ScriptBlockText: '*Get-RickAstley*'
- SELECTION_85:
- ScriptBlockText: '*Find-Fruit*'
- SELECTION_86:
- ScriptBlockText: '*HTTP-Login*'
- SELECTION_87:
- ScriptBlockText: '*Find-TrustedDocuments*'
- SELECTION_88:
- ScriptBlockText: '*Invoke-Paranoia*'
- SELECTION_89:
- ScriptBlockText: '*Invoke-WinEnum*'
- SELECTION_9:
- ScriptBlockText: '*Invoke-Mimikatz*'
- SELECTION_90:
- ScriptBlockText: '*Invoke-ARPScan*'
- SELECTION_91:
- ScriptBlockText: '*Invoke-PortScan*'
- SELECTION_92:
- ScriptBlockText: '*Invoke-ReverseDNSLookup*'
- SELECTION_93:
- ScriptBlockText: '*Invoke-SMBScanner*'
- SELECTION_94:
- ScriptBlockText: '*Invoke-Mimikittenz*'
- SELECTION_95:
- ScriptBlockText: '*Invoke-AllChecks*'
- SELECTION_96:
- ScriptBlockText: '*Get-SystemDriveInfo*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
- or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
- or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
- or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
- or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
- or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
- or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55
- or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60
- or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65
- or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70
- or SELECTION_71 or SELECTION_72 or SELECTION_73 or SELECTION_74 or SELECTION_75
- or SELECTION_76 or SELECTION_77 or SELECTION_78 or SELECTION_79 or SELECTION_80
- or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84 or SELECTION_85
- or SELECTION_86 or SELECTION_87 or SELECTION_88 or SELECTION_89 or SELECTION_90
- or SELECTION_91 or SELECTION_92 or SELECTION_93 or SELECTION_94 or SELECTION_95)
- and not (SELECTION_96))
-falsepositives:
-- Penetration testing
-id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
-level: high
-logsource:
- category: ps_script
- definition: Script Block Logging must be enable
- product: windows
-modified: 2021/10/16
-references:
-- https://adsecurity.org/?p=2921
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_malicious_commandlets.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_malicious_keywords.yml b/rules/alert-rules/sigma/powershell_malicious_keywords.yml
deleted file mode 100644
index 4e49684a..00000000
--- a/rules/alert-rules/sigma/powershell_malicious_keywords.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-title: Malicious PowerShell Keywords
-author: Sean Metcalf (source), Florian Roth (rule)
-date: 2017/03/05
-description: Detects keywords from well-known PowerShell exploitation frameworks
-detection:
- SELECTION_1:
- ScriptBlockText: '*AdjustTokenPrivileges*'
- SELECTION_10:
- ScriptBlockText: '*TOKEN_ADJUST_PRIVILEGES*'
- SELECTION_11:
- ScriptBlockText: '*TOKEN_ALL_ACCESS*'
- SELECTION_12:
- ScriptBlockText: '*TOKEN_ASSIGN_PRIMARY*'
- SELECTION_13:
- ScriptBlockText: '*TOKEN_DUPLICATE*'
- SELECTION_14:
- ScriptBlockText: '*TOKEN_ELEVATION*'
- SELECTION_15:
- ScriptBlockText: '*TOKEN_IMPERSONATE*'
- SELECTION_16:
- ScriptBlockText: '*TOKEN_INFORMATION_CLASS*'
- SELECTION_17:
- ScriptBlockText: '*TOKEN_PRIVILEGES*'
- SELECTION_18:
- ScriptBlockText: '*TOKEN_QUERY*'
- SELECTION_19:
- ScriptBlockText: '*Metasploit*'
- SELECTION_2:
- ScriptBlockText: '*IMAGE_NT_OPTIONAL_HDR64_MAGIC*'
- SELECTION_20:
- ScriptBlockText: '*Mimikatz*'
- SELECTION_3:
- ScriptBlockText: '*Microsoft.Win32.UnsafeNativeMethods*'
- SELECTION_4:
- ScriptBlockText: '*ReadProcessMemory.Invoke*'
- SELECTION_5:
- ScriptBlockText: '*SE_PRIVILEGE_ENABLED*'
- SELECTION_6:
- ScriptBlockText: '*LSA_UNICODE_STRING*'
- SELECTION_7:
- ScriptBlockText: '*MiniDumpWriteDump*'
- SELECTION_8:
- ScriptBlockText: '*PAGE_EXECUTE_READ*'
- SELECTION_9:
- ScriptBlockText: '*SECURITY_DELEGATION*'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20)
-falsepositives:
-- Penetration tests
-id: f62176f3-8128-4faa-bf6c-83261322e5eb
-level: high
-logsource:
- category: ps_script
- definition: It is recommended to use the new "Script Block Logging" of PowerShell
- v5 https://adsecurity.org/?p=2277
- product: windows
-modified: 2021/10/16
-references:
-- https://adsecurity.org/?p=2921
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_malicious_keywords.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/alert-rules/sigma/powershell_memorydump_getstoragediagnosticinfo.yml
deleted file mode 100644
index e6894026..00000000
--- a/rules/alert-rules/sigma/powershell_memorydump_getstoragediagnosticinfo.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Live Memory Dump Using Powershell
-author: Max Altgelt
-date: 2021/09/21
-description: Detects usage of a PowerShell command to dump the live memory of a Windows
- machine
-detection:
- SELECTION_1:
- ScriptBlockText: '*Get-StorageDiagnosticInfo*'
- SELECTION_2:
- ScriptBlockText: '*-IncludeLiveDump*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Diagnostics
-id: cd185561-4760-45d6-a63e-a51325112cae
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo
-status: experimental
-tags:
-- attack.t1003
-yml_filename: powershell_memorydump_getstoragediagnosticinfo.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_nishang_malicious_commandlets.yml b/rules/alert-rules/sigma/powershell_nishang_malicious_commandlets.yml
deleted file mode 100644
index 3deb4678..00000000
--- a/rules/alert-rules/sigma/powershell_nishang_malicious_commandlets.yml
+++ /dev/null
@@ -1,179 +0,0 @@
-title: Malicious Nishang PowerShell Commandlets
-author: Alec Costello
-date: 2019/05/16
-description: Detects Commandlet names and arguments from the Nishang exploitation
- framework
-detection:
- SELECTION_1:
- ScriptBlockText: '*Add-ConstrainedDelegationBackdoor*'
- SELECTION_10:
- ScriptBlockText: '*Out-HTA*'
- SELECTION_11:
- ScriptBlockText: '*Out-SCF*'
- SELECTION_12:
- ScriptBlockText: '*Out-SCT*'
- SELECTION_13:
- ScriptBlockText: '*Out-Shortcut*'
- SELECTION_14:
- ScriptBlockText: '*Out-WebQuery*'
- SELECTION_15:
- ScriptBlockText: '*Out-Word*'
- SELECTION_16:
- ScriptBlockText: '*Enable-Duplication*'
- SELECTION_17:
- ScriptBlockText: '*Remove-Update*'
- SELECTION_18:
- ScriptBlockText: '*Download-Execute-PS*'
- SELECTION_19:
- ScriptBlockText: '*Download_Execute*'
- SELECTION_2:
- ScriptBlockText: '*Set-DCShadowPermissions*'
- SELECTION_20:
- ScriptBlockText: '*Execute-Command-MSSQL*'
- SELECTION_21:
- ScriptBlockText: '*Execute-DNSTXT-Code*'
- SELECTION_22:
- ScriptBlockText: '*Out-RundllCommand*'
- SELECTION_23:
- ScriptBlockText: '*Copy-VSS*'
- SELECTION_24:
- ScriptBlockText: '*FireBuster*'
- SELECTION_25:
- ScriptBlockText: '*FireListener*'
- SELECTION_26:
- ScriptBlockText: '*Get-Information*'
- SELECTION_27:
- ScriptBlockText: '*Get-PassHints*'
- SELECTION_28:
- ScriptBlockText: '*Get-WLAN-Keys*'
- SELECTION_29:
- ScriptBlockText: '*Get-Web-Credentials*'
- SELECTION_3:
- ScriptBlockText: '*DNS_TXT_Pwnage*'
- SELECTION_30:
- ScriptBlockText: '*Invoke-CredentialsPhish*'
- SELECTION_31:
- ScriptBlockText: '*Invoke-MimikatzWDigestDowngrade*'
- SELECTION_32:
- ScriptBlockText: '*Invoke-SSIDExfil*'
- SELECTION_33:
- ScriptBlockText: '*Invoke-SessionGopher*'
- SELECTION_34:
- ScriptBlockText: '*Keylogger*'
- SELECTION_35:
- ScriptBlockText: '*Invoke-Interceptor*'
- SELECTION_36:
- ScriptBlockText: '*Create-MultipleSessions*'
- SELECTION_37:
- ScriptBlockText: '*Invoke-NetworkRelay*'
- SELECTION_38:
- ScriptBlockText: '*Run-EXEonRemote*'
- SELECTION_39:
- ScriptBlockText: '*Invoke-Prasadhak*'
- SELECTION_4:
- ScriptBlockText: '*Execute-OnTime*'
- SELECTION_40:
- ScriptBlockText: '*Invoke-BruteForce*'
- SELECTION_41:
- ScriptBlockText: '*Password-List*'
- SELECTION_42:
- ScriptBlockText: '*Invoke-JSRatRegsvr*'
- SELECTION_43:
- ScriptBlockText: '*Invoke-JSRatRundll*'
- SELECTION_44:
- ScriptBlockText: '*Invoke-PoshRatHttps*'
- SELECTION_45:
- ScriptBlockText: '*Invoke-PowerShellIcmp*'
- SELECTION_46:
- ScriptBlockText: '*Invoke-PowerShellUdp*'
- SELECTION_47:
- ScriptBlockText: '*Invoke-PSGcat*'
- SELECTION_48:
- ScriptBlockText: '*Invoke-PsGcatAgent*'
- SELECTION_49:
- ScriptBlockText: '*Remove-PoshRat*'
- SELECTION_5:
- ScriptBlockText: '*HTTP-Backdoor*'
- SELECTION_50:
- ScriptBlockText: '*Add-Persistance*'
- SELECTION_51:
- ScriptBlockText: '*ExetoText*'
- SELECTION_52:
- ScriptBlockText: '*Invoke-Decode*'
- SELECTION_53:
- ScriptBlockText: '*Invoke-Encode*'
- SELECTION_54:
- ScriptBlockText: '*Parse_Keys*'
- SELECTION_55:
- ScriptBlockText: '*Remove-Persistence*'
- SELECTION_56:
- ScriptBlockText: '*StringtoBase64*'
- SELECTION_57:
- ScriptBlockText: '*TexttoExe*'
- SELECTION_58:
- ScriptBlockText: '*Powerpreter*'
- SELECTION_59:
- ScriptBlockText: '*Nishang*'
- SELECTION_6:
- ScriptBlockText: '*Set-RemotePSRemoting*'
- SELECTION_60:
- ScriptBlockText: '*DataToEncode*'
- SELECTION_61:
- ScriptBlockText: '*LoggedKeys*'
- SELECTION_62:
- ScriptBlockText: '*OUT-DNSTXT*'
- SELECTION_63:
- ScriptBlockText: '*ExfilOption*'
- SELECTION_64:
- ScriptBlockText: '*DumpCerts*'
- SELECTION_65:
- ScriptBlockText: '*DumpCreds*'
- SELECTION_66:
- ScriptBlockText: '*Shellcode32*'
- SELECTION_67:
- ScriptBlockText: '*Shellcode64*'
- SELECTION_68:
- ScriptBlockText: '*NotAllNameSpaces*'
- SELECTION_69:
- ScriptBlockText: '*exfill*'
- SELECTION_7:
- ScriptBlockText: '*Set-RemoteWMI*'
- SELECTION_70:
- ScriptBlockText: '*FakeDC*'
- SELECTION_8:
- ScriptBlockText: '*Invoke-AmsiBypass*'
- SELECTION_9:
- ScriptBlockText: '*Out-CHM*'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
- or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
- or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
- or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
- or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
- or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
- or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55
- or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60
- or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65
- or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70)
-falsepositives:
-- Penetration testing
-id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/samratashok/nishang
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_nishang_malicious_commandlets.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_ntfs_ads_access.yml b/rules/alert-rules/sigma/powershell_ntfs_ads_access.yml
deleted file mode 100644
index 6733bd4c..00000000
--- a/rules/alert-rules/sigma/powershell_ntfs_ads_access.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: NTFS Alternate Data Stream
-author: Sami Ruohonen
-date: 2018/07/24
-description: Detects writing data into NTFS alternate data streams from powershell.
- Needs Script Block Logging.
-detection:
- SELECTION_1:
- ScriptBlockText: '*set-content*'
- SELECTION_2:
- ScriptBlockText: '*add-content*'
- SELECTION_3:
- ScriptBlockText: '*-stream*'
- condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3))
-falsepositives:
-- unknown
-id: 8c521530-5169-495d-a199-0a3a881ad24e
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- http://www.powertheshell.com/ntfsstreams/
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1564.004
-- attack.t1096
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_ntfs_ads_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_powercat.yml b/rules/alert-rules/sigma/powershell_powercat.yml
deleted file mode 100644
index 136566ed..00000000
--- a/rules/alert-rules/sigma/powershell_powercat.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Netcat The Powershell Version
-author: frack113
-date: 2021/07/21
-description: Adversaries may use a non-application layer protocol for communication
- between host and C2 server or among infected hosts within a network
-detection:
- SELECTION_1:
- ContextInfo: '*powercat *'
- SELECTION_2:
- ContextInfo: '*powercat.ps1*'
- condition: (SELECTION_1 or SELECTION_2)
-falsepositives:
-- Unknown
-id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
-level: medium
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://nmap.org/ncat/
-- https://github.com/besimorhino/powercat
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
-status: experimental
-tags:
-- attack.command_and_control
-- attack.t1095
-yml_filename: powershell_powercat.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_powerview_malicious_commandlets.yml b/rules/alert-rules/sigma/powershell_powerview_malicious_commandlets.yml
deleted file mode 100644
index 88476b84..00000000
--- a/rules/alert-rules/sigma/powershell_powerview_malicious_commandlets.yml
+++ /dev/null
@@ -1,295 +0,0 @@
-title: Malicious PowerView PowerShell Commandlets
-author: Bhabesh Raj
-date: 2021/05/18
-description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
-detection:
- SELECTION_1:
- ScriptBlockText: '*Export-PowerViewCSV*'
- SELECTION_10:
- ScriptBlockText: '*Invoke-UserImpersonation*'
- SELECTION_100:
- ScriptBlockText: '*Invoke-UserHunter*'
- SELECTION_101:
- ScriptBlockText: '*Find-DomainUserLocation*'
- SELECTION_102:
- ScriptBlockText: '*Invoke-ProcessHunter*'
- SELECTION_103:
- ScriptBlockText: '*Find-DomainProcess*'
- SELECTION_104:
- ScriptBlockText: '*Invoke-EventHunter*'
- SELECTION_105:
- ScriptBlockText: '*Find-DomainUserEvent*'
- SELECTION_106:
- ScriptBlockText: '*Invoke-ShareFinder*'
- SELECTION_107:
- ScriptBlockText: '*Find-DomainShare*'
- SELECTION_108:
- ScriptBlockText: '*Invoke-FileFinder*'
- SELECTION_109:
- ScriptBlockText: '*Find-InterestingDomainShareFile*'
- SELECTION_11:
- ScriptBlockText: '*Invoke-RevertToSelf*'
- SELECTION_110:
- ScriptBlockText: '*Find-LocalAdminAccess*'
- SELECTION_111:
- ScriptBlockText: '*Invoke-EnumerateLocalAdmin*'
- SELECTION_112:
- ScriptBlockText: '*Find-DomainLocalGroupMember*'
- SELECTION_113:
- ScriptBlockText: '*Get-NetDomainTrust*'
- SELECTION_114:
- ScriptBlockText: '*Get-DomainTrust*'
- SELECTION_115:
- ScriptBlockText: '*Get-NetForestTrust*'
- SELECTION_116:
- ScriptBlockText: '*Get-ForestTrust*'
- SELECTION_117:
- ScriptBlockText: '*Find-ForeignUser*'
- SELECTION_118:
- ScriptBlockText: '*Get-DomainForeignUser*'
- SELECTION_119:
- ScriptBlockText: '*Find-ForeignGroup*'
- SELECTION_12:
- ScriptBlockText: '*Request-SPNTicket*'
- SELECTION_120:
- ScriptBlockText: '*Get-DomainForeignGroupMember*'
- SELECTION_121:
- ScriptBlockText: '*Invoke-MapDomainTrust*'
- SELECTION_122:
- ScriptBlockText: '*Get-DomainTrustMapping*'
- SELECTION_13:
- ScriptBlockText: '*Get-DomainSPNTicket*'
- SELECTION_14:
- ScriptBlockText: '*Invoke-Kerberoast*'
- SELECTION_15:
- ScriptBlockText: '*Get-PathAcl*'
- SELECTION_16:
- ScriptBlockText: '*Get-DNSZone*'
- SELECTION_17:
- ScriptBlockText: '*Get-DomainDNSZone*'
- SELECTION_18:
- ScriptBlockText: '*Get-DNSRecord*'
- SELECTION_19:
- ScriptBlockText: '*Get-DomainDNSRecord*'
- SELECTION_2:
- ScriptBlockText: '*Get-IPAddress*'
- SELECTION_20:
- ScriptBlockText: '*Get-NetDomain*'
- SELECTION_21:
- ScriptBlockText: '*Get-Domain*'
- SELECTION_22:
- ScriptBlockText: '*Get-NetDomainController*'
- SELECTION_23:
- ScriptBlockText: '*Get-DomainController*'
- SELECTION_24:
- ScriptBlockText: '*Get-NetForest*'
- SELECTION_25:
- ScriptBlockText: '*Get-Forest*'
- SELECTION_26:
- ScriptBlockText: '*Get-NetForestDomain*'
- SELECTION_27:
- ScriptBlockText: '*Get-ForestDomain*'
- SELECTION_28:
- ScriptBlockText: '*Get-NetForestCatalog*'
- SELECTION_29:
- ScriptBlockText: '*Get-ForestGlobalCatalog*'
- SELECTION_3:
- ScriptBlockText: '*Resolve-IPAddress*'
- SELECTION_30:
- ScriptBlockText: '*Find-DomainObjectPropertyOutlier*'
- SELECTION_31:
- ScriptBlockText: '*Get-NetUser*'
- SELECTION_32:
- ScriptBlockText: '*Get-DomainUser*'
- SELECTION_33:
- ScriptBlockText: '*New-DomainUser*'
- SELECTION_34:
- ScriptBlockText: '*Set-DomainUserPassword*'
- SELECTION_35:
- ScriptBlockText: '*Get-UserEvent*'
- SELECTION_36:
- ScriptBlockText: '*Get-DomainUserEvent*'
- SELECTION_37:
- ScriptBlockText: '*Get-NetComputer*'
- SELECTION_38:
- ScriptBlockText: '*Get-DomainComputer*'
- SELECTION_39:
- ScriptBlockText: '*Get-ADObject*'
- SELECTION_4:
- ScriptBlockText: '*Convert-NameToSid*'
- SELECTION_40:
- ScriptBlockText: '*Get-DomainObject*'
- SELECTION_41:
- ScriptBlockText: '*Set-ADObject*'
- SELECTION_42:
- ScriptBlockText: '*Set-DomainObject*'
- SELECTION_43:
- ScriptBlockText: '*Get-ObjectAcl*'
- SELECTION_44:
- ScriptBlockText: '*Get-DomainObjectAcl*'
- SELECTION_45:
- ScriptBlockText: '*Add-ObjectAcl*'
- SELECTION_46:
- ScriptBlockText: '*Add-DomainObjectAcl*'
- SELECTION_47:
- ScriptBlockText: '*Invoke-ACLScanner*'
- SELECTION_48:
- ScriptBlockText: '*Find-InterestingDomainAcl*'
- SELECTION_49:
- ScriptBlockText: '*Get-NetOU*'
- SELECTION_5:
- ScriptBlockText: '*ConvertTo-SID*'
- SELECTION_50:
- ScriptBlockText: '*Get-DomainOU*'
- SELECTION_51:
- ScriptBlockText: '*Get-NetSite*'
- SELECTION_52:
- ScriptBlockText: '*Get-DomainSite*'
- SELECTION_53:
- ScriptBlockText: '*Get-NetSubnet*'
- SELECTION_54:
- ScriptBlockText: '*Get-DomainSubnet*'
- SELECTION_55:
- ScriptBlockText: '*Get-DomainSID*'
- SELECTION_56:
- ScriptBlockText: '*Get-NetGroup*'
- SELECTION_57:
- ScriptBlockText: '*Get-DomainGroup*'
- SELECTION_58:
- ScriptBlockText: '*New-DomainGroup*'
- SELECTION_59:
- ScriptBlockText: '*Find-ManagedSecurityGroups*'
- SELECTION_6:
- ScriptBlockText: '*Convert-ADName*'
- SELECTION_60:
- ScriptBlockText: '*Get-DomainManagedSecurityGroup*'
- SELECTION_61:
- ScriptBlockText: '*Get-NetGroupMember*'
- SELECTION_62:
- ScriptBlockText: '*Get-DomainGroupMember*'
- SELECTION_63:
- ScriptBlockText: '*Add-DomainGroupMember*'
- SELECTION_64:
- ScriptBlockText: '*Get-NetFileServer*'
- SELECTION_65:
- ScriptBlockText: '*Get-DomainFileServer*'
- SELECTION_66:
- ScriptBlockText: '*Get-DFSshare*'
- SELECTION_67:
- ScriptBlockText: '*Get-DomainDFSShare*'
- SELECTION_68:
- ScriptBlockText: '*Get-NetGPO*'
- SELECTION_69:
- ScriptBlockText: '*Get-DomainGPO*'
- SELECTION_7:
- ScriptBlockText: '*ConvertFrom-UACValue*'
- SELECTION_70:
- ScriptBlockText: '*Get-NetGPOGroup*'
- SELECTION_71:
- ScriptBlockText: '*Get-DomainGPOLocalGroup*'
- SELECTION_72:
- ScriptBlockText: '*Find-GPOLocation*'
- SELECTION_73:
- ScriptBlockText: '*Get-DomainGPOUserLocalGroupMapping*'
- SELECTION_74:
- ScriptBlockText: '*Find-GPOComputerAdmin*'
- SELECTION_75:
- ScriptBlockText: '*Get-DomainGPOComputerLocalGroupMapping*'
- SELECTION_76:
- ScriptBlockText: '*Get-DomainPolicy*'
- SELECTION_77:
- ScriptBlockText: '*Get-NetLocalGroup*'
- SELECTION_78:
- ScriptBlockText: '*Get-NetLocalGroupMember*'
- SELECTION_79:
- ScriptBlockText: '*Get-NetShare*'
- SELECTION_8:
- ScriptBlockText: '*Add-RemoteConnection*'
- SELECTION_80:
- ScriptBlockText: '*Get-NetLoggedon*'
- SELECTION_81:
- ScriptBlockText: '*Get-NetSession*'
- SELECTION_82:
- ScriptBlockText: '*Get-LoggedOnLocal*'
- SELECTION_83:
- ScriptBlockText: '*Get-RegLoggedOn*'
- SELECTION_84:
- ScriptBlockText: '*Get-NetRDPSession*'
- SELECTION_85:
- ScriptBlockText: '*Invoke-CheckLocalAdminAccess*'
- SELECTION_86:
- ScriptBlockText: '*Test-AdminAccess*'
- SELECTION_87:
- ScriptBlockText: '*Get-SiteName*'
- SELECTION_88:
- ScriptBlockText: '*Get-NetComputerSiteName*'
- SELECTION_89:
- ScriptBlockText: '*Get-Proxy*'
- SELECTION_9:
- ScriptBlockText: '*Remove-RemoteConnection*'
- SELECTION_90:
- ScriptBlockText: '*Get-WMIRegProxy*'
- SELECTION_91:
- ScriptBlockText: '*Get-LastLoggedOn*'
- SELECTION_92:
- ScriptBlockText: '*Get-WMIRegLastLoggedOn*'
- SELECTION_93:
- ScriptBlockText: '*Get-CachedRDPConnection*'
- SELECTION_94:
- ScriptBlockText: '*Get-WMIRegCachedRDPConnection*'
- SELECTION_95:
- ScriptBlockText: '*Get-RegistryMountedDrive*'
- SELECTION_96:
- ScriptBlockText: '*Get-WMIRegMountedDrive*'
- SELECTION_97:
- ScriptBlockText: '*Get-NetProcess*'
- SELECTION_98:
- ScriptBlockText: '*Get-WMIProcess*'
- SELECTION_99:
- ScriptBlockText: '*Find-InterestingFile*'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
- or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
- or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
- or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
- or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
- or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
- or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55
- or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60
- or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65
- or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70
- or SELECTION_71 or SELECTION_72 or SELECTION_73 or SELECTION_74 or SELECTION_75
- or SELECTION_76 or SELECTION_77 or SELECTION_78 or SELECTION_79 or SELECTION_80
- or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84 or SELECTION_85
- or SELECTION_86 or SELECTION_87 or SELECTION_88 or SELECTION_89 or SELECTION_90
- or SELECTION_91 or SELECTION_92 or SELECTION_93 or SELECTION_94 or SELECTION_95
- or SELECTION_96 or SELECTION_97 or SELECTION_98 or SELECTION_99 or SELECTION_100
- or SELECTION_101 or SELECTION_102 or SELECTION_103 or SELECTION_104 or SELECTION_105
- or SELECTION_106 or SELECTION_107 or SELECTION_108 or SELECTION_109 or SELECTION_110
- or SELECTION_111 or SELECTION_112 or SELECTION_113 or SELECTION_114 or SELECTION_115
- or SELECTION_116 or SELECTION_117 or SELECTION_118 or SELECTION_119 or SELECTION_120
- or SELECTION_121 or SELECTION_122)
-falsepositives:
-- Should not be any as administrators do not use this tool
-id: dcd74b95-3f36-4ed9-9598-0490951643aa
-level: high
-logsource:
- category: ps_script
- definition: Script Block Logging must be enable
- product: windows
-modified: 2021/10/16
-references:
-- https://powersploit.readthedocs.io/en/stable/Recon/README
-- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
-- https://thedfirreport.com/2020/10/08/ryuks-return
-- https://adsecurity.org/?p=2277
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_powerview_malicious_commandlets.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_prompt_credentials.yml b/rules/alert-rules/sigma/powershell_prompt_credentials.yml
deleted file mode 100644
index f3d8882c..00000000
--- a/rules/alert-rules/sigma/powershell_prompt_credentials.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: PowerShell Credential Prompt
-author: John Lambert (idea), Florian Roth (rule)
-date: 2017/04/09
-description: Detects PowerShell calling a credential prompt
-detection:
- SELECTION_1:
- ScriptBlockText: '*PromptForCredential*'
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: ca8b77a9-d499-4095-b793-5d5f330d450e
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://twitter.com/JohnLaTwC/status/850381440629981184
-- https://t.co/ezOTGy1a1G
-status: experimental
-tags:
-- attack.credential_access
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_prompt_credentials.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_psattack.yml b/rules/alert-rules/sigma/powershell_psattack.yml
deleted file mode 100644
index d5db3980..00000000
--- a/rules/alert-rules/sigma/powershell_psattack.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: PowerShell PSAttack
-author: Sean Metcalf (source), Florian Roth (rule)
-date: 2017/03/05
-description: Detects the use of PSAttack PowerShell hack tool
-detection:
- SELECTION_1:
- ScriptBlockText: '*PS ATTACK!!!*'
- condition: SELECTION_1
-falsepositives:
-- Pentesters
-id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://adsecurity.org/?p=2921
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_psattack.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_remote_powershell_session.yml b/rules/alert-rules/sigma/powershell_remote_powershell_session.yml
deleted file mode 100644
index 5a83d0d1..00000000
--- a/rules/alert-rules/sigma/powershell_remote_powershell_session.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Remote PowerShell Session
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/08/10
-description: Detects remote PowerShell sessions
-detection:
- SELECTION_1:
- ContextInfo: '* = ServerRemoteHost *'
- SELECTION_2:
- ContextInfo: '*wsmprovhost.exe*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Legitimate use remote PowerShell sessions
-id: 96b9f619-aa91-478f-bacb-c3e50f8df575
-level: high
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
-status: test
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-- attack.lateral_movement
-- attack.t1021.006
-- attack.t1028
-yml_filename: powershell_remote_powershell_session.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_renamed_powershell.yml b/rules/alert-rules/sigma/powershell_renamed_powershell.yml
deleted file mode 100644
index a858e3c9..00000000
--- a/rules/alert-rules/sigma/powershell_renamed_powershell.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Renamed Powershell Under Powershell Channel
-author: Harish Segar, frack113
-date: 2020/06/29
-description: Detects renamed powershell
-detection:
- SELECTION_1:
- HostName: ConsoleHost
- SELECTION_2:
- HostApplication: powershell.exe*
- SELECTION_3:
- HostApplication: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
- condition: (SELECTION_1 and not ((SELECTION_2 or SELECTION_3)))
-falsepositives:
-- unknown
-id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
-level: low
-logsource:
- category: ps_classic_start
- definition: fields have to be extract from event
- product: windows
-modified: 2021/10/16
-references:
-- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
-status: test
-tags:
-- attack.execution
-- attack.t1086
-- attack.t1059.001
-yml_filename: powershell_renamed_powershell.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/powershell_shellcode_b64.yml b/rules/alert-rules/sigma/powershell_shellcode_b64.yml
deleted file mode 100644
index 36d66a2f..00000000
--- a/rules/alert-rules/sigma/powershell_shellcode_b64.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: PowerShell ShellCode
-author: David Ledbetter (shellcode), Florian Roth (rule)
-date: 2018/11/17
-description: Detects Base64 encoded Shellcode
-detection:
- SELECTION_1:
- ScriptBlockText: '*AAAAYInlM*'
- SELECTION_2:
- ScriptBlockText: '*OiCAAAAYInlM*'
- SELECTION_3:
- ScriptBlockText: '*OiJAAAAYInlM*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Unknown
-id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
-level: critical
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://twitter.com/cyb3rops/status/1063072865992523776
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1055
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_shellcode_b64.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_shellintel_malicious_commandlets.yml b/rules/alert-rules/sigma/powershell_shellintel_malicious_commandlets.yml
deleted file mode 100644
index ad4f29df..00000000
--- a/rules/alert-rules/sigma/powershell_shellintel_malicious_commandlets.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Malicious ShellIntel PowerShell Commandlets
-author: Max Altgelt, Tobias Michalski
-date: 2021/08/09
-description: Detects Commandlet names from ShellIntel exploitation scripts.
-detection:
- SELECTION_1:
- ScriptBlockText: '*Invoke-SMBAutoBrute*'
- SELECTION_2:
- ScriptBlockText: '*Invoke-GPOLinks*'
- SELECTION_3:
- ScriptBlockText: '*Out-Minidump*'
- SELECTION_4:
- ScriptBlockText: '*Invoke-Potato*'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
-falsepositives:
-- Unknown
-id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
-level: high
-logsource:
- category: ps_script
- definition: Script Block Logging must be enable
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/Shellntel/scripts/
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-yml_filename: powershell_shellintel_malicious_commandlets.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_software_discovery.yml b/rules/alert-rules/sigma/powershell_software_discovery.yml
deleted file mode 100644
index 169eccae..00000000
--- a/rules/alert-rules/sigma/powershell_software_discovery.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Detected Windows Software Discovery
-author: Nikita Nazarov, oscd.community
-date: 2020/10/16
-description: Adversaries may attempt to enumerate software for a variety of reasons,
- such as figuring out what security measures are present or if the compromised
- system has a version of software that is vulnerable.
-detection:
- SELECTION_1:
- ScriptBlockText: '*get-itemProperty*'
- SELECTION_2:
- ScriptBlockText: '*\software\\*'
- SELECTION_3:
- ScriptBlockText: '*select-object*'
- SELECTION_4:
- ScriptBlockText: '*format-table*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Legitimate administration activities
-id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
-level: medium
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/11/12
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
-- https://github.com/harleyQu1nn/AggressorScripts
-status: experimental
-tags:
-- attack.discovery
-- attack.t1518
-yml_filename: powershell_software_discovery.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_store_file_in_alternate_data_stream.yml b/rules/alert-rules/sigma/powershell_store_file_in_alternate_data_stream.yml
deleted file mode 100644
index 6b67de11..00000000
--- a/rules/alert-rules/sigma/powershell_store_file_in_alternate_data_stream.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Powershell Store File In Alternate Data Stream
-author: frack113
-date: 2021/09/02
-description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
-detection:
- SELECTION_1:
- ScriptBlockText: '*Start-Process*'
- SELECTION_2:
- ScriptBlockText: '*-FilePath "$env:comspec" *'
- SELECTION_3:
- ScriptBlockText: '*-ArgumentList *'
- SELECTION_4:
- ScriptBlockText: '*>*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
-level: medium
-logsource:
- category: ps_script
- definition: EnableScriptBlockLogging must be set to enable
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1564.004
-yml_filename: powershell_store_file_in_alternate_data_stream.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/alert-rules/sigma/powershell_susp_athremotefxvgpudisablementcommand.yml
deleted file mode 100644
index 30a9be07..00000000
--- a/rules/alert-rules/sigma/powershell_susp_athremotefxvgpudisablementcommand.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
-author: frack113
-date: 2021/07/13
-description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
- that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
-detection:
- SELECTION_1:
- ContextInfo: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
- SELECTION_2:
- ContextInfo: '*-ModuleName *'
- SELECTION_3:
- ContextInfo: '*-ModulePath *'
- SELECTION_4:
- ContextInfo: '*-ScriptBlock *'
- SELECTION_5:
- ContextInfo: '*-RemoteFXvGPUDisablementFilePath*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5))
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: 38a7625e-b2cb-485d-b83d-aff137d859f4
-level: medium
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabledd
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
-- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: powershell_susp_athremotefxvgpudisablementcommand.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_susp_zip_compress.yml b/rules/alert-rules/sigma/powershell_susp_zip_compress.yml
deleted file mode 100644
index 520c9ec3..00000000
--- a/rules/alert-rules/sigma/powershell_susp_zip_compress.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Zip A Folder With PowerShell For Staging In Temp
-author: frack113
-date: 2021/07/20
-description: Use living off the land tools to zip a file and stage it in the Windows
- temporary folder for later exfiltration
-detection:
- SELECTION_1:
- ContextInfo: '*Compress-Archive *'
- SELECTION_2:
- ContextInfo: '* -Path *'
- SELECTION_3:
- ContextInfo: '* -DestinationPath *'
- SELECTION_4:
- ContextInfo: '*$env:TEMP\\*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-id: daf7eb81-35fd-410d-9d7a-657837e602bb
-level: medium
-logsource:
- category: ps_module
- definition: PowerShell Module Logging must be enabledd
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
-related:
-- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
- type: derived
-status: experimental
-tags:
-- attack.collection
-- attack.t1074.001
-yml_filename: powershell_susp_zip_compress.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_susp_zip_compress_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_susp_zip_compress_in_scriptblocktext.yml
deleted file mode 100644
index d377b6fc..00000000
--- a/rules/alert-rules/sigma/powershell_susp_zip_compress_in_scriptblocktext.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Zip A Folder With PowerShell For Staging In Temp
-author: frack113
-date: 2021/07/20
-description: Use living off the land tools to zip a file and stage it in the Windows
- temporary folder for later exfiltration
-detection:
- SELECTION_1:
- ScriptBlockText: '*Compress-Archive *'
- SELECTION_2:
- ScriptBlockText: '* -Path *'
- SELECTION_3:
- ScriptBlockText: '* -DestinationPath *'
- SELECTION_4:
- ScriptBlockText: '*$env:TEMP\\*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
-level: medium
-logsource:
- category: ps_script
- definition: Script Block Logging must be enable
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
-status: experimental
-tags:
-- attack.collection
-- attack.t1074.001
-yml_filename: powershell_susp_zip_compress_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_download.yml b/rules/alert-rules/sigma/powershell_suspicious_download.yml
deleted file mode 100644
index 150555f4..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_download.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-title: Suspicious PowerShell Download
-author: Florian Roth
-date: 2017/03/05
-description: Detects suspicious PowerShell download command
-detection:
- condition: (System.Net.WebClient and (.DownloadFile( or .DownloadString())
-falsepositives:
-- PowerShell scripts that download content from the Internet
-id: 65531a81-a694-4e31-ae04-f8ba5bc33759
-level: medium
-logsource:
- product: windows
- service: powershell
-modified: 2021/09/21
-status: deprecated
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_suspicious_download.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_download_in_contextinfo.yml b/rules/alert-rules/sigma/powershell_suspicious_download_in_contextinfo.yml
deleted file mode 100644
index 1af7503b..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_download_in_contextinfo.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Suspicious PowerShell Download
-author: Florian Roth
-date: 2017/03/05
-description: Detects suspicious PowerShell download command
-detection:
- SELECTION_1:
- ContextInfo: '*System.Net.WebClient*'
- SELECTION_2:
- ContextInfo: '*.DownloadFile(*'
- SELECTION_3:
- ContextInfo: '*.DownloadString(*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- PowerShell scripts that download content from the Internet
-id: de41232e-12e8-49fa-86bc-c05c7e722df9
-level: medium
-logsource:
- category: ps_module
- product: windows
-modified: 2021/10/18
-related:
-- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_suspicious_download_in_contextinfo.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_download_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_suspicious_download_in_scriptblocktext.yml
deleted file mode 100644
index 60a1ca75..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_download_in_scriptblocktext.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Suspicious PowerShell Download
-author: Florian Roth
-date: 2017/03/05
-description: Detects suspicious PowerShell download command
-detection:
- SELECTION_1:
- ScriptBlockText: '*System.Net.WebClient*'
- SELECTION_2:
- ScriptBlockText: '*.DownloadFile(*'
- SELECTION_3:
- ScriptBlockText: '*.DownloadString(*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- PowerShell scripts that download content from the Internet
-id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
-level: medium
-logsource:
- category: ps_script
- product: windows
-modified: 2021/10/18
-related:
-- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_suspicious_download_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_export_pfxcertificate.yml b/rules/alert-rules/sigma/powershell_suspicious_export_pfxcertificate.yml
deleted file mode 100644
index 72f51c99..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_export_pfxcertificate.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Suspicious Export-PfxCertificate
-author: Florian Roth
-date: 2021/04/23
-description: Detects Commandlet that is used to export certificates from the local
- certificate store and sometimes used by threat actors to steal private keys from
- compromised machines
-detection:
- SELECTION_1:
- ScriptBlockText: '*Export-PfxCertificate*'
- condition: SELECTION_1
-falsepositives:
-- Legitimate certificate exports invoked by administrators or users (depends on processes
- in the environment - filter if unusable)
-id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
-level: high
-logsource:
- category: ps_script
- definition: Script Block Logging must be enable
- product: windows
-modified: 2021/08/04
-references:
-- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
-- https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1552.004
-yml_filename: powershell_suspicious_export_pfxcertificate.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_getprocess_lsass.yml b/rules/alert-rules/sigma/powershell_suspicious_getprocess_lsass.yml
deleted file mode 100644
index 26746634..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_getprocess_lsass.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: PowerShell Get-Process LSASS in ScriptBlock
-author: Florian Roth
-date: 2021/04/23
-description: Detects a Get-Process command on lsass process, which is in almost all
- cases a sign of malicious activity
-detection:
- SELECTION_1:
- ScriptBlockText: '*Get-Process lsass*'
- condition: SELECTION_1
-falsepositives:
-- Legitimate certificate exports invoked by administrators or users (depends on processes
- in the environment - filter if unusable)
-id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
-level: high
-logsource:
- category: ps_script
- definition: Script Block Logging must be enable
- product: windows
-modified: 2021/10/16
-references:
-- https://twitter.com/PythonResponder/status/1385064506049630211
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003.001
-yml_filename: powershell_suspicious_getprocess_lsass.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_invocation_generic.yml b/rules/alert-rules/sigma/powershell_suspicious_invocation_generic.yml
deleted file mode 100644
index 41f295c0..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_invocation_generic.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-title: Suspicious PowerShell Invocations - Generic
-author: Florian Roth (rule)
-date: 2017/03/12
-description: Detects suspicious PowerShell invocation command parameters
-detection:
- condition: (( -enc or -EncodedCommand ) and ( -w hidden or -window hidden or -windowstyle
- hidden ) and ( -noni or -noninteractive ))
-falsepositives:
-- Penetration tests
-- Very special / sneaky PowerShell scripts
-id: 3d304fda-78aa-43ed-975c-d740798a49c1
-level: high
-logsource:
- product: windows
- service: powershell
-status: deprecated
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_suspicious_invocation_generic.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_invocation_generic_in_contextinfo.yml b/rules/alert-rules/sigma/powershell_suspicious_invocation_generic_in_contextinfo.yml
deleted file mode 100644
index 0ec8c3e4..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_invocation_generic_in_contextinfo.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Suspicious PowerShell Invocations - Generic
-author: Florian Roth (rule)
-date: 2017/03/12
-description: Detects suspicious PowerShell invocation command parameters
-detection:
- SELECTION_1:
- ContextInfo: '* -enc *'
- SELECTION_2:
- ContextInfo: '* -EncodedCommand *'
- SELECTION_3:
- ContextInfo: '* -w hidden *'
- SELECTION_4:
- ContextInfo: '* -window hidden *'
- SELECTION_5:
- ContextInfo: '* -windowstyle hidden *'
- SELECTION_6:
- ContextInfo: '* -noni *'
- SELECTION_7:
- ContextInfo: '* -noninteractive *'
- condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5)
- and (SELECTION_6 or SELECTION_7))
-falsepositives:
-- Penetration tests
-- Very special / sneaky PowerShell scripts
-id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
-level: high
-logsource:
- category: ps_module
- product: windows
-modified: 2021/10/18
-related:
-- id: 3d304fda-78aa-43ed-975c-d740798a49c1
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_suspicious_invocation_generic_in_contextinfo.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_invocation_generic_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_suspicious_invocation_generic_in_scriptblocktext.yml
deleted file mode 100644
index 54e3b596..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_invocation_generic_in_scriptblocktext.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Suspicious PowerShell Invocations - Generic
-author: Florian Roth (rule)
-date: 2017/03/12
-description: Detects suspicious PowerShell invocation command parameters
-detection:
- SELECTION_1:
- ScriptBlockText: '* -enc *'
- SELECTION_2:
- ScriptBlockText: '* -EncodedCommand *'
- SELECTION_3:
- ScriptBlockText: '* -w hidden *'
- SELECTION_4:
- ScriptBlockText: '* -window hidden *'
- SELECTION_5:
- ScriptBlockText: '* -windowstyle hidden *'
- SELECTION_6:
- ScriptBlockText: '* -noni *'
- SELECTION_7:
- ScriptBlockText: '* -noninteractive *'
- condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5)
- and (SELECTION_6 or SELECTION_7))
-falsepositives:
-- Penetration tests
-- Very special / sneaky PowerShell scripts
-id: ed965133-513f-41d9-a441-e38076a0798f
-level: high
-logsource:
- category: ps_script
- product: windows
-modified: 2021/10/18
-related:
-- id: 3d304fda-78aa-43ed-975c-d740798a49c1
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_suspicious_invocation_generic_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_invocation_specific.yml b/rules/alert-rules/sigma/powershell_suspicious_invocation_specific.yml
deleted file mode 100644
index 8e69e8dd..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_invocation_specific.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Suspicious PowerShell Invocations - Specific
-author: Florian Roth (rule), Jonhnathan Ribeiro
-date: 2017/03/05
-description: Detects suspicious PowerShell invocation command parameters
-detection:
- condition: (((( -w and hidden and ((-nop and -c and ([Convert]::FromBase64String
- or (-noni and iex and New-Object))) or (-ep and bypass and -Enc))) or (powershell
- and reg and add and HKCU\software\microsoft\windows\currentversion\run)) or
- (bypass and -noprofile and -windowstyle and hidden and new-object and system.net.webclient
- and .download)) or (iex and New-Object and Net.WebClient and .Download))
-falsepositives:
-- Penetration tests
-id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
-level: high
-logsource:
- definition: Script block logging must be enabled for 4104, Module Logging must
- be enabled for 4103
- product: windows
- service: powershell
-status: deprecated
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_suspicious_invocation_specific.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_invocation_specific_in_contextinfo.yml b/rules/alert-rules/sigma/powershell_suspicious_invocation_specific_in_contextinfo.yml
deleted file mode 100644
index cb5677d7..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_invocation_specific_in_contextinfo.yml
+++ /dev/null
@@ -1,96 +0,0 @@
-title: Suspicious PowerShell Invocations - Specific
-author: Florian Roth (rule), Jonhnathan Ribeiro
-date: 2017/03/05
-description: Detects suspicious PowerShell invocation command parameters
-detection:
- SELECTION_1:
- ContextInfo: '*-nop*'
- SELECTION_10:
- ContextInfo: '* -c *'
- SELECTION_11:
- ContextInfo: '*iex*'
- SELECTION_12:
- ContextInfo: '*New-Object*'
- SELECTION_13:
- ContextInfo: '* -w *'
- SELECTION_14:
- ContextInfo: '*hidden*'
- SELECTION_15:
- ContextInfo: '*-ep*'
- SELECTION_16:
- ContextInfo: '*bypass*'
- SELECTION_17:
- ContextInfo: '*-Enc*'
- SELECTION_18:
- ContextInfo: '*powershell*'
- SELECTION_19:
- ContextInfo: '*reg*'
- SELECTION_2:
- ContextInfo: '* -w *'
- SELECTION_20:
- ContextInfo: '*add*'
- SELECTION_21:
- ContextInfo: '*HKCU\software\microsoft\windows\currentversion\run*'
- SELECTION_22:
- ContextInfo: '*bypass*'
- SELECTION_23:
- ContextInfo: '*-noprofile*'
- SELECTION_24:
- ContextInfo: '*-windowstyle*'
- SELECTION_25:
- ContextInfo: '*hidden*'
- SELECTION_26:
- ContextInfo: '*new-object*'
- SELECTION_27:
- ContextInfo: '*system.net.webclient*'
- SELECTION_28:
- ContextInfo: '*.download*'
- SELECTION_29:
- ContextInfo: '*iex*'
- SELECTION_3:
- ContextInfo: '*hidden*'
- SELECTION_30:
- ContextInfo: '*New-Object*'
- SELECTION_31:
- ContextInfo: '*Net.WebClient*'
- SELECTION_32:
- ContextInfo: '*.Download*'
- SELECTION_4:
- ContextInfo: '* -c *'
- SELECTION_5:
- ContextInfo: '*[Convert]::FromBase64String*'
- SELECTION_6:
- ContextInfo: '* -w *'
- SELECTION_7:
- ContextInfo: '*hidden*'
- SELECTION_8:
- ContextInfo: '*-noni*'
- SELECTION_9:
- ContextInfo: '*-nop*'
- condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
- or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10
- and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14 and SELECTION_15
- and SELECTION_16 and SELECTION_17) or (SELECTION_18 and SELECTION_19 and SELECTION_20
- and SELECTION_21) or (SELECTION_22 and SELECTION_23 and SELECTION_24 and SELECTION_25
- and SELECTION_26 and SELECTION_27 and SELECTION_28) or (SELECTION_29 and SELECTION_30
- and SELECTION_31 and SELECTION_32))
-falsepositives:
-- Penetration tests
-id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
-level: high
-logsource:
- category: ps_module
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/18
-related:
-- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_suspicious_invocation_specific_in_contextinfo.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_invocation_specific_in_scripblocktext.yml b/rules/alert-rules/sigma/powershell_suspicious_invocation_specific_in_scripblocktext.yml
deleted file mode 100644
index f55eb70a..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_invocation_specific_in_scripblocktext.yml
+++ /dev/null
@@ -1,96 +0,0 @@
-title: Suspicious PowerShell Invocations - Specific
-author: Florian Roth (rule), Jonhnathan Ribeiro
-date: 2017/03/05
-description: Detects suspicious PowerShell invocation command parameters
-detection:
- SELECTION_1:
- ScriptBlockText: '*-nop*'
- SELECTION_10:
- ScriptBlockText: '* -c *'
- SELECTION_11:
- ScriptBlockText: '*iex*'
- SELECTION_12:
- ScriptBlockText: '*New-Object*'
- SELECTION_13:
- ScriptBlockText: '* -w *'
- SELECTION_14:
- ScriptBlockText: '*hidden*'
- SELECTION_15:
- ScriptBlockText: '*-ep*'
- SELECTION_16:
- ScriptBlockText: '*bypass*'
- SELECTION_17:
- ScriptBlockText: '*-Enc*'
- SELECTION_18:
- ScriptBlockText: '*powershell*'
- SELECTION_19:
- ScriptBlockText: '*reg*'
- SELECTION_2:
- ScriptBlockText: '* -w *'
- SELECTION_20:
- ScriptBlockText: '*add*'
- SELECTION_21:
- ScriptBlockText: '*HKCU\software\microsoft\windows\currentversion\run*'
- SELECTION_22:
- ScriptBlockText: '*bypass*'
- SELECTION_23:
- ScriptBlockText: '*-noprofile*'
- SELECTION_24:
- ScriptBlockText: '*-windowstyle*'
- SELECTION_25:
- ScriptBlockText: '*hidden*'
- SELECTION_26:
- ScriptBlockText: '*new-object*'
- SELECTION_27:
- ScriptBlockText: '*system.net.webclient*'
- SELECTION_28:
- ScriptBlockText: '*.download*'
- SELECTION_29:
- ScriptBlockText: '*iex*'
- SELECTION_3:
- ScriptBlockText: '*hidden*'
- SELECTION_30:
- ScriptBlockText: '*New-Object*'
- SELECTION_31:
- ScriptBlockText: '*Net.WebClient*'
- SELECTION_32:
- ScriptBlockText: '*.Download*'
- SELECTION_4:
- ScriptBlockText: '* -c *'
- SELECTION_5:
- ScriptBlockText: '*[Convert]::FromBase64String*'
- SELECTION_6:
- ScriptBlockText: '* -w *'
- SELECTION_7:
- ScriptBlockText: '*hidden*'
- SELECTION_8:
- ScriptBlockText: '*-noni*'
- SELECTION_9:
- ScriptBlockText: '*-nop*'
- condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
- or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10
- and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14 and SELECTION_15
- and SELECTION_16 and SELECTION_17) or (SELECTION_18 and SELECTION_19 and SELECTION_20
- and SELECTION_21) or (SELECTION_22 and SELECTION_23 and SELECTION_24 and SELECTION_25
- and SELECTION_26 and SELECTION_27 and SELECTION_28) or (SELECTION_29 and SELECTION_30
- and SELECTION_31 and SELECTION_32))
-falsepositives:
-- Penetration tests
-id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/18
-related:
-- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_suspicious_invocation_specific_in_scripblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_keywords.yml b/rules/alert-rules/sigma/powershell_suspicious_keywords.yml
deleted file mode 100644
index bf942639..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_keywords.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-title: Suspicious PowerShell Keywords
-author: Florian Roth, Perez Diego (@darkquassar)
-date: 2019/02/11
-description: Detects keywords that could indicate the use of some PowerShell exploitation
- framework
-detection:
- SELECTION_1:
- ScriptBlockText: '*System.Reflection.Assembly.Load($*'
- SELECTION_10:
- ScriptBlockText: '*http://127.0.0.1*'
- SELECTION_2:
- ScriptBlockText: '*[System.Reflection.Assembly]::Load($*'
- SELECTION_3:
- ScriptBlockText: '*[Reflection.Assembly]::Load($*'
- SELECTION_4:
- ScriptBlockText: '*System.Reflection.AssemblyName*'
- SELECTION_5:
- ScriptBlockText: '*Reflection.Emit.AssemblyBuilderAccess*'
- SELECTION_6:
- ScriptBlockText: '*Runtime.InteropServices.DllImportAttribute*'
- SELECTION_7:
- ScriptBlockText: '*SuspendThread*'
- SELECTION_8:
- ScriptBlockText: '*rundll32*'
- SELECTION_9:
- ScriptBlockText: '*Invoke-WMIMethod*'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
-falsepositives:
-- Penetration tests
-id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled for 4104
- product: windows
-modified: 2021/10/16
-references:
-- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
-- https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
-- https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
-- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_suspicious_keywords.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_mail_acces.yml b/rules/alert-rules/sigma/powershell_suspicious_mail_acces.yml
deleted file mode 100644
index 34ffd7e7..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_mail_acces.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Powershell Local Email Collection
-author: frack113
-date: 2021/07/21
-description: "Adversaries may target user email on local systems to collect sensitive\
- \ information. Files containing email data can be acquired from a user\u2019s\
- \ local system, such as Outlook storage or cache files."
-detection:
- SELECTION_1:
- ScriptBlockText: '*Get-Inbox.ps1*'
- SELECTION_2:
- ScriptBlockText: '*Microsoft.Office.Interop.Outlook*'
- SELECTION_3:
- ScriptBlockText: '*Microsoft.Office.Interop.Outlook.olDefaultFolders*'
- SELECTION_4:
- ScriptBlockText: '*-comobject outlook.application*'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
-falsepositives:
-- Unknown
-id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
-level: medium
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
-status: experimental
-tags:
-- attack.collection
-- attack.t1114.001
-yml_filename: powershell_suspicious_mail_acces.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_mounted_share_deletion.yml b/rules/alert-rules/sigma/powershell_suspicious_mounted_share_deletion.yml
deleted file mode 100644
index fe895397..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_mounted_share_deletion.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: PowerShell Deleted Mounted Share
-author: oscd.community, @redcanary, Zach Stanford @svch0st
-date: 2020/10/08
-description: Detects when when a mounted share is removed. Adversaries may remove
- share connections that are no longer useful in order to clean up traces of their
- operation
-detection:
- SELECTION_1:
- ScriptBlockText: '*Remove-SmbShare*'
- SELECTION_2:
- ScriptBlockText: '*Remove-FileShare*'
- condition: (SELECTION_1 or SELECTION_2)
-falsepositives:
-- Administrators or Power users may remove their shares via cmd line
-id: 66a4d409-451b-4151-94f4-a55d559c49b0
-level: medium
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1070.005
-yml_filename: powershell_suspicious_mounted_share_deletion.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_recon.yml b/rules/alert-rules/sigma/powershell_suspicious_recon.yml
deleted file mode 100644
index f8660dc3..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_recon.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Recon Information for Export with PowerShell
-author: frack113
-date: 2021/07/30
-description: Once established within a system or network, an adversary may use automated
- techniques for collecting internal data
-detection:
- SELECTION_1:
- ScriptBlockText: '*Get-Service *'
- SELECTION_2:
- ScriptBlockText: '*Get-ChildItem *'
- SELECTION_3:
- ScriptBlockText: '*Get-Process *'
- SELECTION_4:
- ScriptBlockText: '*> $env:TEMP\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- Unknown
-id: a9723fcc-881c-424c-8709-fd61442ab3c3
-level: medium
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
-status: experimental
-tags:
-- attack.collection
-- attack.t1119
-yml_filename: powershell_suspicious_recon.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_win32_pnpentity.yml b/rules/alert-rules/sigma/powershell_suspicious_win32_pnpentity.yml
deleted file mode 100644
index 794f2380..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_win32_pnpentity.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Powershell Suspicious Win32_PnPEntity
-author: frack113
-date: 2021/08/23
-description: Adversaries may attempt to gather information about attached peripheral
- devices and components connected to a computer system.
-detection:
- SELECTION_1:
- ScriptBlockText: '*Win32_PnPEntity*'
- condition: SELECTION_1
-falsepositives:
-- admin script
-id: b26647de-4feb-4283-af6b-6117661283c5
-level: low
-logsource:
- category: ps_script
- definition: EnableScriptBlockLogging must be set to enable
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
-status: experimental
-tags:
-- attack.discovery
-- attack.t1120
-yml_filename: powershell_suspicious_win32_pnpentity.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_suspicious_windowstyle.yml b/rules/alert-rules/sigma/powershell_suspicious_windowstyle.yml
deleted file mode 100644
index f1aadd3c..00000000
--- a/rules/alert-rules/sigma/powershell_suspicious_windowstyle.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Suspicious PowerShell WindowStyle Option
-author: frack113
-date: 2021/10/20
-description: Adversaries may use hidden windows to conceal malicious activity from
- the plain sight of users. In some cases, windows that would typically be displayed
- when an application carries out an operation can be hidden
-detection:
- SELECTION_1:
- ScriptBlockText: '*powershell*'
- SELECTION_2:
- ScriptBlockText: '*WindowStyle*'
- SELECTION_3:
- ScriptBlockText: '*Hidden*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
-level: medium
-logsource:
- category: ps_script
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1564.003
-yml_filename: powershell_suspicious_windowstyle.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe.yml b/rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe.yml
deleted file mode 100644
index 1cc66e82..00000000
--- a/rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
-author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community"
-date: 2020/10/05
-description: Detects SyncAppvPublishingServer process execution which usually utilized
- by adversaries to bypass PowerShell execution restrictions.
-detection:
- condition: SyncAppvPublishingServer.exe
-falsepositives:
-- App-V clients
-id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
-level: medium
-logsource:
- product: windows
- service: powershell
-modified: 2021/09/11
-references:
-- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
-related:
-- id: fde7929d-8beb-4a4c-b922-be9974671667
- type: derived
-status: deprecated
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: powershell_syncappvpublishingserver_exe.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
-
diff --git a/rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe_in_contextinfo.yml b/rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe_in_contextinfo.yml
deleted file mode 100644
index 36c7e913..00000000
--- a/rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe_in_contextinfo.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
-author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community"
-date: 2020/10/05
-description: Detects SyncAppvPublishingServer process execution which usually utilized
- by adversaries to bypass PowerShell execution restrictions.
-detection:
- SELECTION_1:
- ContextInfo: '*SyncAppvPublishingServer.exe*'
- condition: SELECTION_1
-falsepositives:
-- App-V clients
-id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a
-level: medium
-logsource:
- category: ps_module
- product: windows
-modified: 2021/10/18
-references:
-- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
-related:
-- id: fde7929d-8beb-4a4c-b922-be9974671667
- type: derived
-- id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
- type: derived
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: powershell_syncappvpublishingserver_exe_in_contextinfo.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
-
diff --git a/rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
deleted file mode 100644
index 3d9f4198..00000000
--- a/rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
-author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community"
-date: 2020/10/05
-description: Detects SyncAppvPublishingServer process execution which usually utilized
- by adversaries to bypass PowerShell execution restrictions.
-detection:
- SELECTION_1:
- ScriptBlockText: '*SyncAppvPublishingServer.exe*'
- condition: SELECTION_1
-falsepositives:
-- App-V clients
-id: dddfebae-c46f-439c-af7a-fdb6bde90218
-level: medium
-logsource:
- category: ps_script
- product: windows
-modified: 2021/10/18
-references:
-- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
-related:
-- id: fde7929d-8beb-4a4c-b922-be9974671667
- type: derived
-- id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
- type: derived
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_tamper_with_windows_defender.yml b/rules/alert-rules/sigma/powershell_tamper_with_windows_defender.yml
deleted file mode 100644
index 1ad63744..00000000
--- a/rules/alert-rules/sigma/powershell_tamper_with_windows_defender.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Tamper Windows Defender
-author: frack113
-date: 2021/06/07
-description: Attempting to disable scheduled scanning and other parts of windows defender
- atp.
-detection:
- SELECTION_1:
- HostApplication: '*Set-MpPreference*'
- SELECTION_2:
- HostApplication: '*-DisableRealtimeMonitoring 1*'
- SELECTION_3:
- HostApplication: '*-DisableBehaviorMonitoring 1*'
- SELECTION_4:
- HostApplication: '*-DisableScriptScanning 1*'
- SELECTION_5:
- HostApplication: '*-DisableBlockAtFirstSeen 1*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5))
-falsepositives:
-- Unknown
-id: ec19ebab-72dc-40e1-9728-4c0b805d722c
-level: high
-logsource:
- category: ps_classic_provider_start
- definition: fields have to be extract from event
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562.001
-yml_filename: powershell_tamper_with_windows_defender.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/powershell_timestomp.yml b/rules/alert-rules/sigma/powershell_timestomp.yml
deleted file mode 100644
index 9904748e..00000000
--- a/rules/alert-rules/sigma/powershell_timestomp.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Powershell Timestomp
-author: frack113
-date: 2021/08/03
-description: Adversaries may modify file time attributes to hide new or changes to
- existing files. Timestomping is a technique that modifies the timestamps of a
- file (the modify, access, create, and change times), often to mimic files that
- are in the same folder.
-detection:
- SELECTION_1:
- ScriptBlockText: '*.CreationTime =*'
- SELECTION_2:
- ScriptBlockText: '*.LastWriteTime =*'
- SELECTION_3:
- ScriptBlockText: '*.LastAccessTime =*'
- SELECTION_4:
- ScriptBlockText: '*[IO.File]::SetCreationTime*'
- SELECTION_5:
- ScriptBlockText: '*[IO.File]::SetLastAccessTime*'
- SELECTION_6:
- ScriptBlockText: '*[IO.File]::SetLastWriteTime*'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6)
-falsepositives:
-- legitime admin script
-id: c6438007-e081-42ce-9483-b067fbef33c3
-level: medium
-logsource:
- category: ps_script
- definition: EnableScriptBlockLogging must be set to enable
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
-- https://www.offensive-security.com/metasploit-unleashed/timestomp/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1070.006
-yml_filename: powershell_timestomp.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_trigger_profiles.yml b/rules/alert-rules/sigma/powershell_trigger_profiles.yml
deleted file mode 100644
index 65698263..00000000
--- a/rules/alert-rules/sigma/powershell_trigger_profiles.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Powershell Trigger Profiles by Add_Content
-author: frack113
-date: 2021/08/18
-description: Adversaries may gain persistence and elevate privileges by executing
- malicious content triggered by PowerShell profiles.
-detection:
- SELECTION_1:
- ScriptBlockText: '*Add-Content*'
- SELECTION_2:
- ScriptBlockText: '*$profile*'
- SELECTION_3:
- ScriptBlockText: '*-Value*'
- SELECTION_4:
- ScriptBlockText: '*Start-Process*'
- SELECTION_5:
- ScriptBlockText: '*""*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
-falsepositives:
-- Unknown
-id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
-level: medium
-logsource:
- category: ps_script
- definition: EnableScriptBlockLogging must be set to enable
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md
-status: experimental
-tags:
-- attack.privilege_escalation
-- attack.t1546.013
-yml_filename: powershell_trigger_profiles.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_web_request.yml b/rules/alert-rules/sigma/powershell_web_request.yml
deleted file mode 100644
index 06eedc0a..00000000
--- a/rules/alert-rules/sigma/powershell_web_request.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: Windows PowerShell Web Request
-author: James Pemberton / @4A616D6573
-date: 2019/10/24
-description: Detects the use of various web request methods (including aliases) via
- Windows PowerShell command
-detection:
- SELECTION_1:
- ScriptBlockText: '*Invoke-WebRequest*'
- SELECTION_2:
- ScriptBlockText: '*iwr *'
- SELECTION_3:
- ScriptBlockText: '*wget *'
- SELECTION_4:
- ScriptBlockText: '*curl *'
- SELECTION_5:
- ScriptBlockText: '*Net.WebClient*'
- SELECTION_6:
- ScriptBlockText: '*Start-BitsTransfer*'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6)
-falsepositives:
-- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
-id: 1139d2e2-84b1-4226-b445-354492eba8ba
-level: medium
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
-- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
-related:
-- id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_web_request.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_windows_firewall_profile_disabled.yml b/rules/alert-rules/sigma/powershell_windows_firewall_profile_disabled.yml
deleted file mode 100644
index 6232d97f..00000000
--- a/rules/alert-rules/sigma/powershell_windows_firewall_profile_disabled.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Windows Firewall Profile Disabled
-author: Austin Songer @austinsonger
-date: 2021/10/12
-description: Detects when a user disables the Windows Firewall via a Profile to help
- evade defense.
-detection:
- SELECTION_1:
- ScriptBlockText: '*Set-NetFirewallProfile*'
- SELECTION_2:
- ScriptBlockText: '*-Profile*'
- SELECTION_3:
- ScriptBlockText: '*-Enabled*'
- SELECTION_4:
- ScriptBlockText: '*False*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-id: 488b44e7-3781-4a71-888d-c95abfacf44d
-level: high
-logsource:
- category: ps_script
- product: windows
-modified: 2021/10/16
-references:
-- https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
-- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
-- http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
-- http://woshub.com/manage-windows-firewall-powershell/
-status: experimental
-tags:
-- attack.defense_evasion
-yml_filename: powershell_windows_firewall_profile_disabled.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_winlogon_helper_dll.yml b/rules/alert-rules/sigma/powershell_winlogon_helper_dll.yml
deleted file mode 100644
index 83af6cdb..00000000
--- a/rules/alert-rules/sigma/powershell_winlogon_helper_dll.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Winlogon Helper DLL
-author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
-description: Winlogon.exe is a Windows component responsible for actions at logon/logoff
- as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry
- entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\
- and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage
- additional helper programs and functionalities that support Winlogon. Malicious
- modifications to these Registry keys may cause Winlogon to load and execute malicious
- DLLs and/or executables.
-detection:
- SELECTION_1:
- ScriptBlockText: '*CurrentVersion\Winlogon*'
- SELECTION_2:
- ScriptBlockText: '*Set-ItemProperty*'
- SELECTION_3:
- ScriptBlockText: '*New-Item*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Unknown
-id: 851c506b-6b7c-4ce2-8802-c703009d03c0
-level: medium
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
-status: experimental
-tags:
-- attack.persistence
-- attack.t1547.004
-- attack.t1004
-yml_filename: powershell_winlogon_helper_dll.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_wmi_persistence.yml b/rules/alert-rules/sigma/powershell_wmi_persistence.yml
deleted file mode 100644
index 92091a2d..00000000
--- a/rules/alert-rules/sigma/powershell_wmi_persistence.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Powershell WMI Persistence
-author: frack113
-date: 2021/08/19
-description: Adversaries may establish persistence and elevate privileges by executing
- malicious content triggered by a Windows Management Instrumentation (WMI) event
- subscription.
-detection:
- SELECTION_1:
- ScriptBlockText: '*New-CimInstance *'
- SELECTION_2:
- ScriptBlockText: '*-Namespace root/subscription *'
- SELECTION_3:
- ScriptBlockText: '*-Property *'
- SELECTION_4:
- ScriptBlockText: '*-ClassName __EventFilter *'
- SELECTION_5:
- ScriptBlockText: '*-ClassName CommandLineEventConsumer *'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
-falsepositives:
-- Unknown
-id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
-level: medium
-logsource:
- category: ps_script
- definition: EnableScriptBlockLogging must be set to enable
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
-- https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
-status: experimental
-tags:
-- attack.privilege_escalation
-- attack.t1546.003
-yml_filename: powershell_wmi_persistence.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_wmimplant.yml b/rules/alert-rules/sigma/powershell_wmimplant.yml
deleted file mode 100644
index 8810c9f5..00000000
--- a/rules/alert-rules/sigma/powershell_wmimplant.yml
+++ /dev/null
@@ -1,65 +0,0 @@
-title: WMImplant Hack Tool
-author: NVISO
-date: 2020/03/26
-description: Detects parameters used by WMImplant
-detection:
- SELECTION_1:
- ScriptBlockText: '*WMImplant*'
- SELECTION_10:
- ScriptBlockText: '* remote_posh *'
- SELECTION_11:
- ScriptBlockText: '* sched_job *'
- SELECTION_12:
- ScriptBlockText: '* service_mod *'
- SELECTION_13:
- ScriptBlockText: '* process_kill *'
- SELECTION_14:
- ScriptBlockText: '* active_users *'
- SELECTION_15:
- ScriptBlockText: '* basic_info *'
- SELECTION_16:
- ScriptBlockText: '* power_off *'
- SELECTION_17:
- ScriptBlockText: '* vacant_system *'
- SELECTION_18:
- ScriptBlockText: '* logon_events *'
- SELECTION_2:
- ScriptBlockText: '* change_user *'
- SELECTION_3:
- ScriptBlockText: '* gen_cli *'
- SELECTION_4:
- ScriptBlockText: '* command_exec *'
- SELECTION_5:
- ScriptBlockText: '* disable_wdigest *'
- SELECTION_6:
- ScriptBlockText: '* disable_winrm *'
- SELECTION_7:
- ScriptBlockText: '* enable_wdigest *'
- SELECTION_8:
- ScriptBlockText: '* enable_winrm *'
- SELECTION_9:
- ScriptBlockText: '* registry_mod *'
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18)
-falsepositives:
-- Administrative scripts that use the same keywords.
-id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
-level: high
-logsource:
- category: ps_script
- definition: Script block logging must be enabled
- product: windows
-modified: 2021/10/16
-references:
-- https://github.com/FortyNorthSecurity/WMImplant
-status: experimental
-tags:
-- attack.execution
-- attack.t1047
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_wmimplant.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
-
diff --git a/rules/alert-rules/sigma/powershell_wsman_com_provider_no_powershell.yml b/rules/alert-rules/sigma/powershell_wsman_com_provider_no_powershell.yml
deleted file mode 100644
index 1730e3c9..00000000
--- a/rules/alert-rules/sigma/powershell_wsman_com_provider_no_powershell.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Suspicious Non PowerShell WSMAN COM Provider
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/06/24
-description: Detects suspicious use of the WSMAN provider without PowerShell.exe as
- the host application.
-detection:
- SELECTION_1:
- ProviderName: WSMan
- SELECTION_2:
- HostApplication: '*powershell*'
- condition: (SELECTION_1 and not (SELECTION_2))
-falsepositives:
-- Unknown
-id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
-level: medium
-logsource:
- definition: fields have to be extract from event
- product: windows
- service: powershell-classic
-modified: 2021/08/30
-references:
-- https://twitter.com/chadtilbury/status/1275851297770610688
-- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
-- https://github.com/bohops/WSMan-WinRM
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.lateral_movement
-- attack.t1021.003
-yml_filename: powershell_wsman_com_provider_no_powershell.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/powershell_xor_commandline.yml b/rules/alert-rules/sigma/powershell_xor_commandline.yml
deleted file mode 100644
index 18a2a222..00000000
--- a/rules/alert-rules/sigma/powershell_xor_commandline.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Suspicious XOR Encoded PowerShell Command Line
-author: Teymur Kheirkhabarov, Harish Segar (rule)
-date: 2020/06/29
-description: Detects suspicious powershell process which includes bxor command, alternative
- obfuscation method to b64 encoded commands.
-detection:
- SELECTION_1:
- HostName: ConsoleHost
- SELECTION_2:
- HostApplication: '*bxor*'
- SELECTION_3:
- HostApplication: '*join*'
- SELECTION_4:
- HostApplication: '*char*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
-falsepositives:
-- unknown
-id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
-level: medium
-logsource:
- category: ps_classic_start
- definition: fields have to be extract from event
- product: windows
-modified: 2021/10/16
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: powershell_xor_commandline.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
-
diff --git a/rules/alert-rules/sigma/process_creation_abusing_windows_telemetry_for_persistence.yml b/rules/alert-rules/sigma/process_creation_abusing_windows_telemetry_for_persistence.yml
deleted file mode 100644
index 770b6e54..00000000
--- a/rules/alert-rules/sigma/process_creation_abusing_windows_telemetry_for_persistence.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Abusing Windows Telemetry For Persistence
-author: Sreeman
-date: 2020/09/29
-description: Windows telemetry makes use of the binary CompatTelRunner.exe to run
- a variety of commands and perform the actual telemetry collections. This binary
- was created to be easily extensible, and to that end, it relies on the registry
- to instruct on which commands to run. The problem is, it will run any arbitrary
- command without restriction of location or type.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine|re: (?i).*schtasks.*(-|\/)r.*\\\\Application Experience\\\\Microsoft
- Compatibility Appraiser.*
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- none
-fields:
-- EventID
-- CommandLine
-- TargetObject
-- Details
-id: f548a603-c9f2-4c89-b511-b089f7e94549
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/09
-references:
-- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.persistence
-- attack.t1112
-- attack.t1053
-yml_filename: process_creation_abusing_windows_telemetry_for_persistence.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_advanced_ip_scanner.yml b/rules/alert-rules/sigma/process_creation_advanced_ip_scanner.yml
deleted file mode 100644
index 9f510cc5..00000000
--- a/rules/alert-rules/sigma/process_creation_advanced_ip_scanner.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Advanced IP Scanner
-author: '@ROxPinTeddy'
-date: 2020/05/12
-description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for
- ransomware groups.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\advanced_ip_scanner*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Legitimate administrative use
-id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/12
-references:
-- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
-- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
-- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
-- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
-- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
-status: experimental
-tags:
-- attack.discovery
-- attack.t1046
-yml_filename: process_creation_advanced_ip_scanner.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_alternate_data_streams.yml b/rules/alert-rules/sigma/process_creation_alternate_data_streams.yml
deleted file mode 100644
index cbb345ea..00000000
--- a/rules/alert-rules/sigma/process_creation_alternate_data_streams.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-title: Execute From Alternate Data Streams
-author: frack113
-date: 2021/09/01
-description: Adversaries may use NTFS file attributes to hide their malicious data
- in order to evade detection
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '* /E *'
- SELECTION_11:
- CommandLine: '*esentutl *'
- SELECTION_12:
- CommandLine: '* /y *'
- SELECTION_13:
- CommandLine: '* /d *'
- SELECTION_14:
- CommandLine: '* /o *'
- SELECTION_2:
- CommandLine: '*txt:*'
- SELECTION_3:
- CommandLine: '*type *'
- SELECTION_4:
- CommandLine: '* > *'
- SELECTION_5:
- CommandLine: '*makecab *'
- SELECTION_6:
- CommandLine: '*.cab*'
- SELECTION_7:
- CommandLine: '*reg *'
- SELECTION_8:
- CommandLine: '* export *'
- SELECTION_9:
- CommandLine: '*regedit *'
- condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or
- (SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9
- and SELECTION_10) or (SELECTION_11 and SELECTION_12 and SELECTION_13 and SELECTION_14)))
-falsepositives:
-- Unknown
-id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1564.004
-yml_filename: process_creation_alternate_data_streams.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_apt_gallium.yml b/rules/alert-rules/sigma/process_creation_apt_gallium.yml
deleted file mode 100644
index a95be10b..00000000
--- a/rules/alert-rules/sigma/process_creation_apt_gallium.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: GALLIUM Artefacts
-author: Tim Burrell
-date: 2020/02/07
-description: Detects artefacts associated with activity group GALLIUM - Microsoft
- Threat Intelligence Center indicators released in December 2019.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- sha1: e570585edc69f9074cb5e8a790708336bd45ca0f
- SELECTION_3:
- Image: '*:\Program Files(x86)\\*'
- SELECTION_4:
- Image: '*:\Program Files\\*'
- condition: (SELECTION_1 and (SELECTION_2) and not ((SELECTION_3 or SELECTION_4)))
-falsepositives:
-- unknown
-id: 18739897-21b1-41da-8ee4-5b786915a676
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/19
-references:
-- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
-- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
-related:
-- id: 440a56bf-7873-4439-940a-1c8a671073c2
- type: derived
-status: experimental
-tags:
-- attack.credential_access
-- attack.command_and_control
-yml_filename: process_creation_apt_gallium.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_apt_gallium_sha1.yml b/rules/alert-rules/sigma/process_creation_apt_gallium_sha1.yml
deleted file mode 100644
index 10b599bf..00000000
--- a/rules/alert-rules/sigma/process_creation_apt_gallium_sha1.yml
+++ /dev/null
@@ -1,68 +0,0 @@
-title: GALLIUM Artefacts
-author: Tim Burrell
-date: 2020/02/07
-description: Detects artefacts associated with activity group GALLIUM - Microsoft
- Threat Intelligence Center indicators released in December 2019.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- sha1: 2e94b305d6812a9f96e6781c888e48c7fb157b6b
- SELECTION_11:
- sha1: dd44133716b8a241957b912fa6a02efde3ce3025
- SELECTION_12:
- sha1: 8793bf166cb89eb55f0593404e4e933ab605e803
- SELECTION_13:
- sha1: a39b57032dbb2335499a51e13470a7cd5d86b138
- SELECTION_14:
- sha1: 41cc2b15c662bc001c0eb92f6cc222934f0beeea
- SELECTION_15:
- sha1: d209430d6af54792371174e70e27dd11d3def7a7
- SELECTION_16:
- sha1: 1c6452026c56efd2c94cea7e0f671eb55515edb0
- SELECTION_17:
- sha1: c6b41d3afdcdcaf9f442bbe772f5da871801fd5a
- SELECTION_18:
- sha1: 4923d460e22fbbf165bbbaba168e5a46b8157d9f
- SELECTION_19:
- sha1: f201504bd96e81d0d350c3a8332593ee1c9e09de
- SELECTION_2:
- sha1: 53a44c2396d15c3a03723fa5e5db54cafd527635
- SELECTION_20:
- sha1: ddd2db1127632a2a52943a2fe516a2e7d05d70d2
- SELECTION_3:
- sha1: 9c5e496921e3bc882dc40694f1dcc3746a75db19
- SELECTION_4:
- sha1: aeb573accfd95758550cf30bf04f389a92922844
- SELECTION_5:
- sha1: 79ef78a797403a4ed1a616c68e07fff868a8650a
- SELECTION_6:
- sha1: 4f6f38b4cec35e895d91c052b1f5a83d665c2196
- SELECTION_7:
- sha1: 1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d
- SELECTION_8:
- sha1: e841a63e47361a572db9a7334af459ddca11347a
- SELECTION_9:
- sha1: c28f606df28a9bc8df75a4d5e5837fc5522dd34d
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20))
-falsepositives:
-- unknown
-id: 440a56bf-7873-4439-940a-1c8a671073c2
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/19
-references:
-- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
-- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
-status: experimental
-tags:
-- attack.credential_access
-- attack.command_and_control
-yml_filename: process_creation_apt_gallium_sha1.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_apt_pandemic.yml b/rules/alert-rules/sigma/process_creation_apt_pandemic.yml
deleted file mode 100644
index 0c1c0681..00000000
--- a/rules/alert-rules/sigma/process_creation_apt_pandemic.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Pandemic Registry Key
-author: Florian Roth
-date: 2017/06/01
-description: Detects Pandemic Windows Implant
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*loaddll -a *'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unknown
-fields:
-- EventID
-- CommandLine
-- ParentCommandLine
-- Image
-- User
-- TargetObject
-id: 9fefd33c-339d-4495-9cba-b96ca006f512
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/12
-references:
-- https://wikileaks.org/vault7/#Pandemic
-- https://twitter.com/MalwareJake/status/870349480356454401
-related:
-- id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
- type: derived
-status: experimental
-tags:
-- attack.lateral_movement
-- attack.t1105
-yml_filename: process_creation_apt_pandemic.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_apt_slingshot.yml b/rules/alert-rules/sigma/process_creation_apt_slingshot.yml
deleted file mode 100644
index b30d5ae9..00000000
--- a/rules/alert-rules/sigma/process_creation_apt_slingshot.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Defrag Deactivation
-author: Florian Roth, Bartlomiej Czyz (@bczyz1)
-date: 2019/03/04
-description: Detects the deactivation and disabling of the Scheduled defragmentation
- task as seen by Slingshot APT group
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\schtasks.exe'
- SELECTION_3:
- CommandLine: '*/delete*'
- SELECTION_4:
- CommandLine: '*/change*'
- SELECTION_5:
- CommandLine: '*/TN*'
- SELECTION_6:
- CommandLine: '*\Microsoft\Windows\Defrag\ScheduledDefrag*'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4) and SELECTION_5
- and SELECTION_6)
-falsepositives:
-- Unknown
-id: 958d81aa-8566-4cea-a565-59ccd4df27b0
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/19
-references:
-- https://securelist.com/apt-slingshot/84312/
-tags:
-- attack.persistence
-- attack.s0111
-yml_filename: process_creation_apt_slingshot.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_apt_turla_commands_critical.yml b/rules/alert-rules/sigma/process_creation_apt_turla_commands_critical.yml
deleted file mode 100644
index 82b68834..00000000
--- a/rules/alert-rules/sigma/process_creation_apt_turla_commands_critical.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Turla Group Lateral Movement
-author: Markus Neis
-date: 2017/11/07
-description: Detects automated lateral movement by Turla group
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: net use \\%DomainController%\C$ "P@ssw0rd" *
- SELECTION_3:
- CommandLine: dir c:\\*.doc* /s
- SELECTION_4:
- CommandLine: dir %TEMP%\\*.exe
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
-falsepositives:
-- Unknown
-id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/19
-references:
-- https://securelist.com/the-epic-turla-operation/65545/
-status: experimental
-tags:
-- attack.g0010
-- attack.execution
-- attack.t1059
-- attack.lateral_movement
-- attack.t1077
-- attack.t1021.002
-- attack.discovery
-- attack.t1083
-- attack.t1135
-yml_filename: process_creation_apt_turla_commands_critical.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_apt_wocao.yml b/rules/alert-rules/sigma/process_creation_apt_wocao.yml
deleted file mode 100644
index 2f3b0213..00000000
--- a/rules/alert-rules/sigma/process_creation_apt_wocao.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-title: Operation Wocao Activity
-author: Florian Roth, frack113
-date: 2019/12/20
-description: Detects activity mentioned in Operation Wocao report
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*iie.exe iie.txt*'
- SELECTION_11:
- CommandLine: '*reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\\*'
- SELECTION_2:
- CommandLine: '*checkadmin.exe 127.0.0.1 -all*'
- SELECTION_3:
- CommandLine: '*netsh advfirewall firewall add rule name=powershell dir=in*'
- SELECTION_4:
- CommandLine: '*cmd /c powershell.exe -ep bypass -file c:\s.ps1*'
- SELECTION_5:
- CommandLine: '*/tn win32times /f*'
- SELECTION_6:
- CommandLine: '*create win32times binPath=*'
- SELECTION_7:
- CommandLine: '*\c$\windows\system32\devmgr.dll*'
- SELECTION_8:
- CommandLine: '* -exec bypass -enc JgAg*'
- SELECTION_9:
- CommandLine: '*type *keepass\KeePass.config.xml*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11))
-falsepositives:
-- Administrators that use checkadmin.exe tool to enumerate local administrators
-id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/19
-references:
-- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
-- https://twitter.com/SBousseaden/status/1207671369963646976
-related:
-- id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
- type: derived
-status: experimental
-tags:
-- attack.discovery
-- attack.t1012
-- attack.defense_evasion
-- attack.t1036.004
-- attack.t1036
-- attack.t1027
-- attack.execution
-- attack.t1053.005
-- attack.t1053
-- attack.t1059.001
-- attack.t1086
-yml_filename: process_creation_apt_wocao.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_automated_collection.yml b/rules/alert-rules/sigma/process_creation_automated_collection.yml
deleted file mode 100644
index 6639a0a8..00000000
--- a/rules/alert-rules/sigma/process_creation_automated_collection.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-title: Automated Collection Command Prompt
-author: frack113
-date: 2021/07/28
-description: Once established within a system or network, an adversary may use automated
- techniques for collecting internal data.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*.txt*'
- SELECTION_11:
- CommandLine: '*dir *'
- SELECTION_12:
- CommandLine: '* /b *'
- SELECTION_13:
- CommandLine: '* /s *'
- SELECTION_14:
- OriginalFileName: FINDSTR.EXE
- SELECTION_15:
- CommandLine: '* /e *'
- SELECTION_2:
- CommandLine: '*.doc*'
- SELECTION_3:
- CommandLine: '*.docx*'
- SELECTION_4:
- CommandLine: '*.xls*'
- SELECTION_5:
- CommandLine: '*.xlsx*'
- SELECTION_6:
- CommandLine: '*.ppt*'
- SELECTION_7:
- CommandLine: '*.pptx*'
- SELECTION_8:
- CommandLine: '*.rtf*'
- SELECTION_9:
- CommandLine: '*.pdf*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
- and ((SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and
- SELECTION_15)))
-falsepositives:
-- Unknown
-id: f576a613-2392-4067-9d1a-9345fb58d8d1
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
-status: experimental
-tags:
-- attack.collection
-- attack.t1119
-yml_filename: process_creation_automated_collection.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_c3_load_by_rundll32.yml b/rules/alert-rules/sigma/process_creation_c3_load_by_rundll32.yml
deleted file mode 100644
index e19aef1c..00000000
--- a/rules/alert-rules/sigma/process_creation_c3_load_by_rundll32.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: F-Secure C3 Load by Rundll32
-author: Alfie Champion (ajpc500)
-date: 2021/06/02
-description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*rundll32.exe*'
- SELECTION_3:
- CommandLine: '*.dll*'
- SELECTION_4:
- CommandLine: '*StartNodeRelay*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/FSecureLABS/C3/blob/master/Src/NodeRelayDll/NodeRelayDll.cpp#L12
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218.011
-yml_filename: process_creation_c3_load_by_rundll32.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_certoc_execution.yml b/rules/alert-rules/sigma/process_creation_certoc_execution.yml
deleted file mode 100644
index 6e4faa02..00000000
--- a/rules/alert-rules/sigma/process_creation_certoc_execution.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Suspicious Load DLL via CertOC.exe
-author: Austin Songer @austinsonger
-date: 2021/10/23
-description: Detects when a user installs certificates by using CertOC.exe to loads
- the target DLL file.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\certoc.exe'
- SELECTION_3:
- CommandLine: '*-LoadDLL*'
- SELECTION_4:
- CommandLine: '*.dll*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- None
-fields:
-- CommandLine
-- ParentCommandLine
-id: 242301bc-f92f-4476-8718-78004a6efd9f
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: process_creation_certoc_execution.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_clip.yml b/rules/alert-rules/sigma/process_creation_clip.yml
deleted file mode 100644
index 7f29ebe4..00000000
--- a/rules/alert-rules/sigma/process_creation_clip.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Use of CLIP
-author: frack113
-date: 2021/07/27
-description: Adversaries may collect data stored in the clipboard from users copying
- information within or between applications.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- OriginalFileName: clip.exe
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Unknown
-id: ddeff553-5233-4ae9-bbab-d64d2bd634be
-level: low
-logsource:
- category: process_creation
- product: windows
-references:
-- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md
-status: experimental
-tags:
-- attack.collection
-- attack.t1115
-yml_filename: process_creation_clip.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/alert-rules/sigma/process_creation_cobaltstrike_load_by_rundll32.yml
deleted file mode 100644
index 49852b2f..00000000
--- a/rules/alert-rules/sigma/process_creation_cobaltstrike_load_by_rundll32.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: CobaltStrike Load by Rundll32
-author: Wojciech Lesicki
-date: 2021/06/01
-description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs
- from the command line.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*rundll32.exe*'
- SELECTION_3:
- CommandLine: '*.dll*'
- SELECTION_4:
- CommandLine: '*StartW*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.cobaltstrike.com/help-windows-executable
-- https://redcanary.com/threat-detection-report/
-- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218.011
-yml_filename: process_creation_cobaltstrike_load_by_rundll32.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_conti_cmd_ransomware.yml b/rules/alert-rules/sigma/process_creation_conti_cmd_ransomware.yml
deleted file mode 100644
index 68417243..00000000
--- a/rules/alert-rules/sigma/process_creation_conti_cmd_ransomware.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Conti Ransomware Execution
-author: frack113
-date: 2021/10/12
-description: Conti ransomware command line ioc
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*-m *'
- SELECTION_3:
- CommandLine: '*-net *'
- SELECTION_4:
- CommandLine: '*-size *'
- SELECTION_5:
- CommandLine: '*-nomutex *'
- SELECTION_6:
- CommandLine: '*-p \\\*'
- SELECTION_7:
- CommandLine: '*$*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
- and SELECTION_6 and SELECTION_7)
-falsepositives:
-- Unknown should be low
-id: 689308fc-cfba-4f72-9897-796c1dc61487
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
-- https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
-status: experimental
-tags:
-- attack.impact
-- attack.s0575
-- attack.t1486
-yml_filename: process_creation_conti_cmd_ransomware.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_coti_sqlcmd.yml b/rules/alert-rules/sigma/process_creation_coti_sqlcmd.yml
deleted file mode 100644
index ebea53d8..00000000
--- a/rules/alert-rules/sigma/process_creation_coti_sqlcmd.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Conti Backup Database
-author: frack113
-date: 2021/08/16
-description: Detects a command used by conti to dump database
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*sqlcmd *'
- SELECTION_3:
- CommandLine: '*sqlcmd.exe*'
- SELECTION_4:
- CommandLine: '* -S localhost *'
- SELECTION_5:
- CommandLine: '*sys.sysprocesses*'
- SELECTION_6:
- CommandLine: '*master.dbo.sysdatabases*'
- SELECTION_7:
- CommandLine: '*BACKUP DATABASE*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
- or SELECTION_6 or SELECTION_7))
-falsepositives:
-- Unknown
-id: 2f47f1fd-0901-466e-a770-3b7092834a1b
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://twitter.com/vxunderground/status/1423336151860002816?s=20
-- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
-- https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
-status: experimental
-tags:
-- attack.collection
-yml_filename: process_creation_coti_sqlcmd.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_discover_private_keys.yml b/rules/alert-rules/sigma/process_creation_discover_private_keys.yml
deleted file mode 100644
index 37fe8de1..00000000
--- a/rules/alert-rules/sigma/process_creation_discover_private_keys.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-title: Discover Private Keys
-author: frack113
-date: 2021/07/20
-description: Adversaries may search for private key certificate files on compromised
- systems for insecurely stored credential
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*.pfx*'
- SELECTION_11:
- CommandLine: '*.cer*'
- SELECTION_12:
- CommandLine: '*.p7b*'
- SELECTION_13:
- CommandLine: '*.asc*'
- SELECTION_2:
- CommandLine: '*dir *'
- SELECTION_3:
- CommandLine: '*findstr *'
- SELECTION_4:
- CommandLine: '*.key*'
- SELECTION_5:
- CommandLine: '*.pgp*'
- SELECTION_6:
- CommandLine: '*.gpg*'
- SELECTION_7:
- CommandLine: '*.ppk*'
- SELECTION_8:
- CommandLine: '*.p12*'
- SELECTION_9:
- CommandLine: '*.pem*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13))
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1552.004
-yml_filename: process_creation_discover_private_keys.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_dns_serverlevelplugindll.yml b/rules/alert-rules/sigma/process_creation_dns_serverlevelplugindll.yml
deleted file mode 100644
index 3618052c..00000000
--- a/rules/alert-rules/sigma/process_creation_dns_serverlevelplugindll.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: DNS ServerLevelPluginDll Install
-author: Florian Roth
-date: 2017/05/08
-description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter
- in Registry, which can be used to execute code in context of the DNS server (restart
- required)
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\dnscmd.exe'
- SELECTION_3:
- CommandLine: '*/config*'
- SELECTION_4:
- CommandLine: '*/serverlevelplugindll*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- unknown
-fields:
-- EventID
-- CommandLine
-- ParentCommandLine
-- Image
-- User
-- TargetObject
-id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/12
-references:
-- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
-related:
-- id: e61e8a88-59a9-451c-874e-70fcc9740d67
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1073
-- attack.t1574.002
-- attack.t1112
-yml_filename: process_creation_dns_serverlevelplugindll.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_dotnet.yml b/rules/alert-rules/sigma/process_creation_dotnet.yml
deleted file mode 100644
index 876b2f6e..00000000
--- a/rules/alert-rules/sigma/process_creation_dotnet.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
-author: Beyu Denis, oscd.community
-date: 2020/10/18
-description: dotnet.exe will execute any DLL and execute unsigned code
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*.dll'
- SELECTION_3:
- CommandLine: '*.csproj'
- SELECTION_4:
- Image: '*\dotnet.exe'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4))
-falsepositives:
-- System administrator Usage
-- Penetration test
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml
-- https://twitter.com/_felamos/status/1204705548668555264
-- https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
-status: experimental
-tags:
-- attack.execution
-- attack.t1218
-yml_filename: process_creation_dotnet.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_hack_dumpert.yml b/rules/alert-rules/sigma/process_creation_hack_dumpert.yml
deleted file mode 100644
index 2047d019..00000000
--- a/rules/alert-rules/sigma/process_creation_hack_dumpert.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Dumpert Process Dumper
-author: Florian Roth
-date: 2020/02/04
-description: Detects the use of Dumpert process dumper, which dumps the lsass.exe
- process memory
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Imphash: 09D278F9DE118EF09163C6140255C690
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Very unlikely
-id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/21
-references:
-- https://github.com/outflanknl/Dumpert
-- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.001
-yml_filename: process_creation_hack_dumpert.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_infdefaultinstall.yml b/rules/alert-rules/sigma/process_creation_infdefaultinstall.yml
deleted file mode 100644
index c725f557..00000000
--- a/rules/alert-rules/sigma/process_creation_infdefaultinstall.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: InfDefaultInstall.exe .inf Execution
-author: frack113
-date: 2021/07/13
-description: Executes SCT script using scrobj.dll from a command in entered into a
- specially prepared INF file.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*InfDefaultInstall.exe *'
- SELECTION_3:
- CommandLine: '*.inf*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: ce7cf472-6fcc-490a-9481-3786840b5d9b
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562.001
-yml_filename: process_creation_infdefaultinstall.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/alert-rules/sigma/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
deleted file mode 100644
index f0d4c15f..00000000
--- a/rules/alert-rules/sigma/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: LOLBAS Data Exfiltration by DataSvcUtil.exe
-author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
-date: 2021/09/30
-description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*/in:*'
- SELECTION_3:
- CommandLine: '*/out:*'
- SELECTION_4:
- Image: '*\DataSvcUtil.exe'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4))
-falsepositives:
-- DataSvcUtil.exe being used may be performed by a system administrator.
-- Verify whether the user identity, user agent, and/or hostname should be making changes
- in your environment.
-- DataSvcUtil.exe being executed from unfamiliar users should be investigated. If
- known behavior is causing false positives, it can be exempted from the rule.
-- Penetration Testing
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: e290b10b-1023-4452-a4a9-eb31a9013b3a
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
-- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
-- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
-- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
-status: experimental
-tags:
-- attack.exfiltration
-- attack.t1567
-yml_filename: process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_lolbins_by_office_applications.yml b/rules/alert-rules/sigma/process_creation_lolbins_by_office_applications.yml
deleted file mode 100644
index f551aab3..00000000
--- a/rules/alert-rules/sigma/process_creation_lolbins_by_office_applications.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: New Lolbin Process by Office Applications
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-description: This rule will monitor any office apps that spins up a new LOLBin process.
- This activity is pretty suspicious and should be investigated.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*regsvr32'
- SELECTION_3:
- Image: '*rundll32'
- SELECTION_4:
- Image: '*msiexec'
- SELECTION_5:
- Image: '*mshta'
- SELECTION_6:
- Image: '*verclsid'
- SELECTION_7:
- ParentImage: '*winword.exe'
- SELECTION_8:
- ParentImage: '*excel.exe'
- SELECTION_9:
- ParentImage: '*powerpnt.exe'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6) and (SELECTION_7 or SELECTION_8 or SELECTION_9))
-falsepositives:
-- Unknown
-id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-status: experimental
-tags:
-- attack.t1204.002
-- attack.t1047
-- attack.t1218.010
-- attack.execution
-- attack.defense_evasion
-yml_filename: process_creation_lolbins_by_office_applications.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_lolbins_with_wmiprvse_parent_process.yml b/rules/alert-rules/sigma/process_creation_lolbins_with_wmiprvse_parent_process.yml
deleted file mode 100644
index d4691aee..00000000
--- a/rules/alert-rules/sigma/process_creation_lolbins_with_wmiprvse_parent_process.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Lolbins Process Creation with WmiPrvse
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-description: This rule will monitor LOLBin process creations by wmiprvse. Add more
- LOLBins to rule logic if needed.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*regsvr32'
- SELECTION_3:
- Image: '*rundll32'
- SELECTION_4:
- Image: '*msiexec'
- SELECTION_5:
- Image: '*mshta'
- SELECTION_6:
- Image: '*verclsid'
- SELECTION_7:
- ParentImage: '*\wbem\WmiPrvSE.exe'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6) and SELECTION_7)
-falsepositives:
-- Unknown
-id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-status: experimental
-tags:
-- attack.t1204.002
-- attack.t1047
-- attack.t1218.010
-- attack.execution
-- attack.defense_evasion
-yml_filename: process_creation_lolbins_with_wmiprvse_parent_process.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_mal_blue_mockingbird.yml b/rules/alert-rules/sigma/process_creation_mal_blue_mockingbird.yml
deleted file mode 100644
index 341f33f4..00000000
--- a/rules/alert-rules/sigma/process_creation_mal_blue_mockingbird.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Blue Mockingbird
-author: Trent Liffick (@tliffick)
-date: 2020/05/14
-description: Attempts to detect system changes made by Blue Mockingbird
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\cmd.exe'
- SELECTION_3:
- CommandLine: '*sc config*'
- SELECTION_4:
- CommandLine: '*wercplsupporte.dll*'
- SELECTION_5:
- Image: '*\wmic.exe'
- SELECTION_6:
- CommandLine: '*COR_PROFILER'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or
- (SELECTION_5 and SELECTION_6)))
-falsepositives:
-- unknown
-id: c3198a27-23a0-4c2c-af19-e5328d49680e
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/11
-references:
-- https://redcanary.com/blog/blue-mockingbird-cryptominer/
-related:
-- id: ce239692-aa94-41b3-b32f-9cab259c96ea
- type: merged
-status: experimental
-tags:
-- attack.execution
-- attack.t1112
-- attack.t1047
-yml_filename: process_creation_mal_blue_mockingbird.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/process_creation_mal_darkside_ransomware.yml b/rules/alert-rules/sigma/process_creation_mal_darkside_ransomware.yml
deleted file mode 100644
index 0ff0fa3d..00000000
--- a/rules/alert-rules/sigma/process_creation_mal_darkside_ransomware.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: DarkSide Ransomware Pattern
-author: Florian Roth
-date: 2021/05/14
-description: Detects DarkSide Ransomware and helpers
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*=[char][byte](''0x''+*'
- SELECTION_3:
- CommandLine: '* -work worker0 -path *'
- SELECTION_4:
- ParentCommandLine: '*DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*'
- SELECTION_5:
- Image: '*\AppData\Local\Temp\\*'
- condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or ((SELECTION_4) and
- (SELECTION_5))))
-falsepositives:
-- Unknown
-- UAC bypass method used by other malware
-id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
-- https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
-- https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
-status: experimental
-tags:
-- attack.execution
-- attack.t1204
-yml_filename: process_creation_mal_darkside_ransomware.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/process_creation_mal_lockergoga_ransomware.yml b/rules/alert-rules/sigma/process_creation_mal_lockergoga_ransomware.yml
deleted file mode 100644
index f00d3531..00000000
--- a/rules/alert-rules/sigma/process_creation_mal_lockergoga_ransomware.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: LockerGoga Ransomware
-author: Vasiliy Burov, oscd.community
-date: 2020/10/18
-description: Detects LockerGoga Ransomware command line.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*-i SM-tgytutrc -s*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Unlikely
-id: 74db3488-fd28-480a-95aa-b7af626de068
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
-- https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
-- https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
-status: experimental
-tags:
-- attack.impact
-- attack.t1486
-yml_filename: process_creation_mal_lockergoga_ransomware.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/process_creation_mal_ryuk.yml b/rules/alert-rules/sigma/process_creation_mal_ryuk.yml
deleted file mode 100644
index 9738c948..00000000
--- a/rules/alert-rules/sigma/process_creation_mal_ryuk.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Ryuk Ransomware
-author: Vasiliy Burov
-date: 2019/08/06
-description: Detects Ryuk Ransomware command lines
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\net.exe'
- SELECTION_3:
- Image: '*\net1.exe'
- SELECTION_4:
- CommandLine: '*stop*'
- SELECTION_5:
- CommandLine: '*samss*'
- SELECTION_6:
- CommandLine: '*audioendpointbuilder*'
- SELECTION_7:
- CommandLine: '*unistoresvc_?????*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
- or SELECTION_6 or SELECTION_7))
-falsepositives:
-- Unlikely
-id: 0acaad27-9f02-4136-a243-c357202edd74
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
-status: experimental
-tags:
-- attack.execution
-- attack.t1204
-yml_filename: process_creation_mal_ryuk.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/process_creation_msdeploy.yml b/rules/alert-rules/sigma/process_creation_msdeploy.yml
deleted file mode 100644
index 5747a46b..00000000
--- a/rules/alert-rules/sigma/process_creation_msdeploy.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Execute Files with Msdeploy.exe
-author: Beyu Denis, oscd.community
-date: 2020/10/18
-description: Detects file execution using the msdeploy.exe lolbin
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*verb:sync*'
- SELECTION_3:
- CommandLine: '*-source:RunCommand*'
- SELECTION_4:
- CommandLine: '*-dest:runCommand*'
- SELECTION_5:
- Image: '*\msdeploy.exe'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5))
-falsepositives:
-- System administrator Usage
-- Penetration test
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml
-- https://twitter.com/pabraeken/status/995837734379032576
-- https://twitter.com/pabraeken/status/999090532839313408
-status: experimental
-tags:
-- attack.execution
-- attack.t1218
-yml_filename: process_creation_msdeploy.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_office_applications_spawning_wmi_commandline.yml b/rules/alert-rules/sigma/process_creation_office_applications_spawning_wmi_commandline.yml
deleted file mode 100644
index eaeb737e..00000000
--- a/rules/alert-rules/sigma/process_creation_office_applications_spawning_wmi_commandline.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Office Applications Spawning Wmi Cli
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-description: Initial execution of malicious document calls wmic to execute the file
- with regsvr32
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: \wbem\WMIC.exe
- SELECTION_3:
- CommandLine: '*wmic *'
- SELECTION_4:
- OriginalFileName: wmic.exe
- SELECTION_5:
- Description: WMI Commandline Utility
- SELECTION_6:
- ParentImage: '*winword.exe'
- SELECTION_7:
- ParentImage: '*excel.exe'
- SELECTION_8:
- ParentImage: '*powerpnt.exe'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- and (SELECTION_6 or SELECTION_7 or SELECTION_8))
-falsepositives:
-- Unknown
-id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/11/10
-references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-status: experimental
-tags:
-- attack.t1204.002
-- attack.t1047
-- attack.t1218.010
-- attack.execution
-- attack.defense_evasion
-yml_filename: process_creation_office_applications_spawning_wmi_commandline.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/alert-rules/sigma/process_creation_office_from_proxy_executing_regsvr32_payload.yml
deleted file mode 100644
index c0500b28..00000000
--- a/rules/alert-rules/sigma/process_creation_office_from_proxy_executing_regsvr32_payload.yml
+++ /dev/null
@@ -1,66 +0,0 @@
-title: Excel Proxy Executing Regsvr32 With Payload
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-description: Excel called wmic to finally proxy execute regsvr32 with the payload.
- An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But
- we have command-line in the event which allow us to "restore" this suspicious
- parent-child chain and detect it. Monitor process creation with "wmic process
- call create" and LOLBins in command-line with parent Office application processes.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*verclsid*'
- SELECTION_11:
- ParentImage: '*winword.exe'
- SELECTION_12:
- ParentImage: '*excel.exe'
- SELECTION_13:
- ParentImage: '*powerpnt.exe'
- SELECTION_14:
- ParentCommandLine: '*process*'
- SELECTION_15:
- ParentCommandLine: '*create*'
- SELECTION_16:
- ParentCommandLine: '*call*'
- SELECTION_2:
- Image: '*\wbem\WMIC.exe'
- SELECTION_3:
- ParentCommandLine: '*wmic *'
- SELECTION_4:
- OriginalFileName: wmic.exe
- SELECTION_5:
- Description: WMI Commandline Utility
- SELECTION_6:
- CommandLine: '*regsvr32*'
- SELECTION_7:
- CommandLine: '*rundll32*'
- SELECTION_8:
- CommandLine: '*msiexec*'
- SELECTION_9:
- CommandLine: '*mshta*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- and (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
- and (SELECTION_11 or SELECTION_12 or SELECTION_13) and SELECTION_14 and SELECTION_15
- and SELECTION_16)
-falsepositives:
-- Unknown
-id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/11/09
-references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-status: experimental
-tags:
-- attack.t1204.002
-- attack.t1047
-- attack.t1218.010
-- attack.execution
-- attack.defense_evasion
-yml_filename: process_creation_office_from_proxy_executing_regsvr32_payload.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/alert-rules/sigma/process_creation_office_from_proxy_executing_regsvr32_payload2.yml
deleted file mode 100644
index 6f2f1a98..00000000
--- a/rules/alert-rules/sigma/process_creation_office_from_proxy_executing_regsvr32_payload2.yml
+++ /dev/null
@@ -1,61 +0,0 @@
-title: Excel Proxy Executing Regsvr32 With Payload
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-description: Excel called wmic to finally proxy execute regsvr32 with the payload.
- An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But
- we have command-line in the event which allow us to "restore" this suspicious
- parent-child chain and detect it. Monitor process creation with "wmic process
- call create" and LOLBins in command-line with parent Office application processes.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- ParentImage: '*excel.exe'
- SELECTION_11:
- ParentImage: '*powerpnt.exe'
- SELECTION_12:
- ParentCommandLine: '*process*'
- SELECTION_13:
- ParentCommandLine: '*create*'
- SELECTION_14:
- ParentCommandLine: '*call*'
- SELECTION_2:
- ParentCommandLine: '*regsvr32*'
- SELECTION_3:
- ParentCommandLine: '*rundll32*'
- SELECTION_4:
- ParentCommandLine: '*msiexec*'
- SELECTION_5:
- ParentCommandLine: '*mshta*'
- SELECTION_6:
- ParentCommandLine: '*verclsid*'
- SELECTION_7:
- Image: '*\wbem\WMIC.exe'
- SELECTION_8:
- ParentCommandLine: '*wmic *'
- SELECTION_9:
- ParentImage: '*winword.exe'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6) and (SELECTION_7 or SELECTION_8) and (SELECTION_9 or SELECTION_10
- or SELECTION_11) and SELECTION_12 and SELECTION_13 and SELECTION_14)
-falsepositives:
-- Unknown
-id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/11/09
-references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-status: experimental
-tags:
-- attack.t1204.002
-- attack.t1047
-- attack.t1218.010
-- attack.execution
-- attack.defense_evasion
-yml_filename: process_creation_office_from_proxy_executing_regsvr32_payload2.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_office_spawning_wmi_commandline.yml b/rules/alert-rules/sigma/process_creation_office_spawning_wmi_commandline.yml
deleted file mode 100644
index c5b829ed..00000000
--- a/rules/alert-rules/sigma/process_creation_office_spawning_wmi_commandline.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Office Applications Spawning Wmi Cli
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-description: Initial execution of malicious document calls wmic to execute the file
- with regsvr32
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\wbem\WMIC.exe'
- SELECTION_3:
- ParentCommandLine: '*wmic *'
- SELECTION_4:
- ParentImage: winword.exe
- SELECTION_5:
- ParentImage: excel.exe
- SELECTION_6:
- ParentImage: powerpnt.exe
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
- or SELECTION_6))
-falsepositives:
-- Unknown
-id: 04f5363a-6bca-42ff-be70-0d28bf629ead
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/11/09
-references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-status: experimental
-tags:
-- attack.t1204.002
-- attack.t1047
-- attack.t1218.010
-- attack.execution
-- attack.defense_evasion
-yml_filename: process_creation_office_spawning_wmi_commandline.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_pingback_backdoor.yml b/rules/alert-rules/sigma/process_creation_pingback_backdoor.yml
deleted file mode 100644
index 3cb4986f..00000000
--- a/rules/alert-rules/sigma/process_creation_pingback_backdoor.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Pingback Backdoor
-author: Bhabesh Raj
-date: 2021/05/05
-description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
- as described in the trustwave report
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*updata.exe'
- SELECTION_3:
- CommandLine: '*config*'
- SELECTION_4:
- CommandLine: '*msdtc*'
- SELECTION_5:
- CommandLine: '*start*'
- SELECTION_6:
- CommandLine: '*auto*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
- and SELECTION_6)
-falsepositives:
-- Very unlikely
-id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/09
-references:
-- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
-- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
-status: experimental
-tags:
-- attack.persistence
-- attack.t1574.001
-yml_filename: process_creation_pingback_backdoor.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_protocolhandler_suspicious_file.yml b/rules/alert-rules/sigma/process_creation_protocolhandler_suspicious_file.yml
deleted file mode 100644
index f7797b44..00000000
--- a/rules/alert-rules/sigma/process_creation_protocolhandler_suspicious_file.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: ProtocolHandler.exe Downloaded Suspicious File
-author: frack113
-date: 2021/07/13
-description: Emulates attack via documents through protocol handler in Microsoft Office.
- On successful execution you should see Microsoft Word launch a blank file.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\protocolhandler.exe'
- SELECTION_3:
- CommandLine: '*"ms-word*'
- SELECTION_4:
- CommandLine: '*.docx"*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: process_creation_protocolhandler_suspicious_file.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_root_certificate_installed.yml b/rules/alert-rules/sigma/process_creation_root_certificate_installed.yml
deleted file mode 100644
index 51a385a8..00000000
--- a/rules/alert-rules/sigma/process_creation_root_certificate_installed.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Root Certificate Installed
-author: oscd.community, @redcanary, Zach Stanford @svch0st
-date: 2020/10/10
-description: Adversaries may install a root certificate on a compromised system to
- avoid warnings when connecting to adversary controlled web servers.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*root*'
- SELECTION_3:
- Image: '*\certutil.exe'
- SELECTION_4:
- CommandLine: '*-addstore*'
- SELECTION_5:
- Image: '*\CertMgr.exe'
- SELECTION_6:
- CommandLine: '*/add*'
- condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or
- (SELECTION_5 and SELECTION_6)))
-falsepositives:
-- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to
- test if GPO push doesn't trigger FP
-id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/21
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
-related:
-- id: 42821614-9264-4761-acfc-5772c3286f76
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1553.004
-yml_filename: process_creation_root_certificate_installed.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_sdelete.yml b/rules/alert-rules/sigma/process_creation_sdelete.yml
deleted file mode 100644
index 3788326f..00000000
--- a/rules/alert-rules/sigma/process_creation_sdelete.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Sysinternals SDelete Delete File
-author: frack113
-date: 2021/06/03
-description: Use of SDelete to erase a file not the free space
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- OriginalFileName: sdelete.exe
- SELECTION_3:
- CommandLine: '* -h*'
- SELECTION_4:
- CommandLine: '* -c*'
- SELECTION_5:
- CommandLine: '* -z*'
- SELECTION_6:
- CommandLine: '* /?*'
- condition: (SELECTION_1 and SELECTION_2 and not ((SELECTION_3 or SELECTION_4
- or SELECTION_5 or SELECTION_6)))
-falsepositives:
-- System administrator Usage
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: a4824fca-976f-4964-b334-0621379e84c4
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
-status: experimental
-tags:
-- attack.impact
-- attack.t1485
-yml_filename: process_creation_sdelete.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_software_discovery.yml b/rules/alert-rules/sigma/process_creation_software_discovery.yml
deleted file mode 100644
index 6559241f..00000000
--- a/rules/alert-rules/sigma/process_creation_software_discovery.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Detected Windows Software Discovery
-author: Nikita Nazarov, oscd.community
-date: 2020/10/16
-description: Adversaries may attempt to enumerate software for a variety of reasons,
- such as figuring out what security measures are present or if the compromised
- system has a version of software that is vulnerable.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\reg.exe'
- SELECTION_3:
- CommandLine: '*query*'
- SELECTION_4:
- CommandLine: '*\software\\*'
- SELECTION_5:
- CommandLine: '*/v*'
- SELECTION_6:
- CommandLine: '*svcversion*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
- and SELECTION_6)
-falsepositives:
-- Legitimate administration activities
-id: e13f668e-7f95-443d-98d2-1816a7648a7b
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/21
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
-- https://github.com/harleyQu1nn/AggressorScripts
-related:
-- id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
- type: derived
-status: experimental
-tags:
-- attack.discovery
-- attack.t1518
-yml_filename: process_creation_software_discovery.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_stickykey_like_backdoor.yml b/rules/alert-rules/sigma/process_creation_stickykey_like_backdoor.yml
deleted file mode 100644
index cc38d7f9..00000000
--- a/rules/alert-rules/sigma/process_creation_stickykey_like_backdoor.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-title: Sticky Key Like Backdoor Usage
-author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
-date: 2018/03/15
-description: Detects the usage and installation of a backdoor that uses an option
- to register a malicious debugger for built-in tools that are accessible in the
- login screen
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*\winlogon.exe'
- SELECTION_3:
- Image: '*\cmd.exe'
- SELECTION_4:
- CommandLine: '*sethc.exe*'
- SELECTION_5:
- CommandLine: '*utilman.exe*'
- SELECTION_6:
- CommandLine: '*osk.exe*'
- SELECTION_7:
- CommandLine: '*Magnify.exe*'
- SELECTION_8:
- CommandLine: '*Narrator.exe*'
- SELECTION_9:
- CommandLine: '*DisplaySwitch.exe*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
-falsepositives:
-- Unlikely
-id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/12
-references:
-- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
-related:
-- id: baca5663-583c-45f9-b5dc-ea96a22ce542
- type: derived
-tags:
-- attack.privilege_escalation
-- attack.persistence
-- attack.t1015
-- attack.t1546.008
-- car.2014-11-003
-- car.2014-11-008
-yml_filename: process_creation_stickykey_like_backdoor.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_stordiag_execution.yml b/rules/alert-rules/sigma/process_creation_stordiag_execution.yml
deleted file mode 100644
index 11248cf4..00000000
--- a/rules/alert-rules/sigma/process_creation_stordiag_execution.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Execution via stordiag.exe
-author: Austin Songer (@austinsonger)
-date: 2021/10/21
-description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe
- and fltmc.exe
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*\stordiag.exe'
- SELECTION_3:
- Image: '*\schtasks.exe'
- SELECTION_4:
- Image: '*\systeminfo.exe'
- SELECTION_5:
- Image: '*\fltmc.exe'
- SELECTION_6:
- ParentImage: c:\windows\system32\\*
- SELECTION_7:
- ParentImage: c:\windows\syswow64\\*
- condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
- and not ((SELECTION_6 or SELECTION_7)))
-falsepositives:
-- Legitimate usage of stordiag.exe.
-id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
-- https://twitter.com/eral4m/status/1451112385041911809
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: process_creation_stordiag_execution.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_susp_7z.yml b/rules/alert-rules/sigma/process_creation_susp_7z.yml
deleted file mode 100644
index b5a666f5..00000000
--- a/rules/alert-rules/sigma/process_creation_susp_7z.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Compress Data and Lock With Password for Exfiltration With 7-ZIP
-author: frack113
-date: 2021/07/27
-description: An adversary may compress or encrypt data that is collected prior to
- exfiltration using 3rd party utilities
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*7z.exe*'
- SELECTION_3:
- CommandLine: '*7za.exe*'
- SELECTION_4:
- CommandLine: '* -p*'
- SELECTION_5:
- CommandLine: '* a *'
- SELECTION_6:
- CommandLine: '* u *'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
- or SELECTION_6))
-falsepositives:
-- Command line parameter combinations that contain all included strings
-fields:
-- CommandLine
-- ParentCommandLine
-- CurrentDirectory
-id: 9fbf5927-5261-4284-a71d-f681029ea574
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
-status: experimental
-tags:
-- attack.collection
-- attack.t1560.001
-yml_filename: process_creation_susp_7z.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_susp_athremotefxvgpudisablementcommand.yml b/rules/alert-rules/sigma/process_creation_susp_athremotefxvgpudisablementcommand.yml
deleted file mode 100644
index 86cd58d6..00000000
--- a/rules/alert-rules/sigma/process_creation_susp_athremotefxvgpudisablementcommand.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
-author: frack113
-date: 2021/07/13
-description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
- that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
- SELECTION_3:
- CommandLine: '*-ModuleName *'
- SELECTION_4:
- CommandLine: '*-ModulePath *'
- SELECTION_5:
- CommandLine: '*-ScriptBlock *'
- SELECTION_6:
- CommandLine: '*-RemoteFXvGPUDisablementFilePath*'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6))
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/07
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
-- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
-related:
-- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: process_creation_susp_athremotefxvgpudisablementcommand.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_susp_del.yml b/rules/alert-rules/sigma/process_creation_susp_del.yml
deleted file mode 100644
index 316e326b..00000000
--- a/rules/alert-rules/sigma/process_creation_susp_del.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Suspicious Del in CommandLine
-author: frack113
-date: 2021/10/26
-description: suspicious command line to remove exe or dll
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*del *'
- SELECTION_3:
- CommandLine: '*/f *'
- SELECTION_4:
- CommandLine: '*/q *'
- SELECTION_5:
- CommandLine: '*.exe*'
- SELECTION_6:
- CommandLine: '*C:\ProgramData\\*'
- SELECTION_7:
- CommandLine: '*.dll*'
- condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
- SELECTION_5) or (SELECTION_6 and SELECTION_7)))
-falsepositives:
-- unknown
-id: 204b17ae-4007-471b-917b-b917b315c5db
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1070.004
-yml_filename: process_creation_susp_del.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_susp_recon.yml b/rules/alert-rules/sigma/process_creation_susp_recon.yml
deleted file mode 100644
index 0d33e312..00000000
--- a/rules/alert-rules/sigma/process_creation_susp_recon.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Recon Information for Export with Command Prompt
-author: frack113
-date: 2021/07/30
-description: Once established within a system or network, an adversary may use automated
- techniques for collecting internal data.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\tree.com'
- SELECTION_3:
- Image: '*\WMIC.exe'
- SELECTION_4:
- Image: '*\doskey.exe'
- SELECTION_5:
- Image: '*\sc.exe'
- SELECTION_6:
- ParentCommandLine: '* > %TEMP%\\*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- and SELECTION_6)
-falsepositives:
-- Unknown
-id: aa2efee7-34dd-446e-8a37-40790a66efd7
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
-status: experimental
-tags:
-- attack.collection
-- attack.t1119
-yml_filename: process_creation_susp_recon.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_susp_web_request_cmd.yml b/rules/alert-rules/sigma/process_creation_susp_web_request_cmd.yml
deleted file mode 100644
index 760b4791..00000000
--- a/rules/alert-rules/sigma/process_creation_susp_web_request_cmd.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Windows Suspicious Use Of Web Request in CommandLine
-author: James Pemberton / @4A616D6573
-date: 2019/10/24
-description: Detects the use of various web request with commandline tools or Windows
- PowerShell command,methods (including aliases)
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*Invoke-WebRequest*'
- SELECTION_3:
- CommandLine: '*iwr *'
- SELECTION_4:
- CommandLine: '*wget *'
- SELECTION_5:
- CommandLine: '*curl *'
- SELECTION_6:
- CommandLine: '*Net.WebClient*'
- SELECTION_7:
- CommandLine: '*Start-BitsTransfer*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7))
-falsepositives:
-- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
-id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/21
-references:
-- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
-- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: process_creation_susp_web_request_cmd.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_susp_winzip.yml b/rules/alert-rules/sigma/process_creation_susp_winzip.yml
deleted file mode 100644
index f0c1fc91..00000000
--- a/rules/alert-rules/sigma/process_creation_susp_winzip.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Compress Data and Lock With Password for Exfiltration With WINZIP
-author: frack113
-date: 2021/07/27
-description: An adversary may compress or encrypt data that is collected prior to
- exfiltration using 3rd party utilities
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*winzip.exe*'
- SELECTION_3:
- CommandLine: '*winzip64.exe*'
- SELECTION_4:
- CommandLine: '*-s"*'
- SELECTION_5:
- CommandLine: '* -min *'
- SELECTION_6:
- CommandLine: '* -a *'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4) and
- (SELECTION_5 or SELECTION_6))
-falsepositives:
-- Unknown
-id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
-status: experimental
-tags:
-- attack.collection
-- attack.t1560.001
-yml_filename: process_creation_susp_winzip.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_susp_zip_compress.yml b/rules/alert-rules/sigma/process_creation_susp_zip_compress.yml
deleted file mode 100644
index 912357c0..00000000
--- a/rules/alert-rules/sigma/process_creation_susp_zip_compress.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Zip A Folder With PowerShell For Staging In Temp
-author: frack113
-date: 2021/07/20
-description: Use living off the land tools to zip a file and stage it in the Windows
- temporary folder for later exfiltration
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*Compress-Archive *'
- SELECTION_3:
- CommandLine: '* -Path *'
- SELECTION_4:
- CommandLine: '* -DestinationPath *'
- SELECTION_5:
- CommandLine: '*$env:TEMP\\*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
-falsepositives:
-- Unknown
-id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/07
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
-related:
-- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
- type: derived
-status: experimental
-tags:
-- attack.collection
-- attack.t1074.001
-yml_filename: process_creation_susp_zip_compress.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_syncappvpublishingserver_exe.yml b/rules/alert-rules/sigma/process_creation_syncappvpublishingserver_exe.yml
deleted file mode 100644
index f8202914..00000000
--- a/rules/alert-rules/sigma/process_creation_syncappvpublishingserver_exe.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
-author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community"
-date: 2020/10/05
-description: Detects SyncAppvPublishingServer process execution which usually utilized
- by adversaries to bypass PowerShell execution restrictions.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\SyncAppvPublishingServer.exe'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- App-V clients
-id: fde7929d-8beb-4a4c-b922-be9974671667
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/11
-references:
-- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
-status: deprecated
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: process_creation_syncappvpublishingserver_exe.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
-
diff --git a/rules/alert-rules/sigma/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml b/rules/alert-rules/sigma/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
deleted file mode 100644
index ea701a51..00000000
--- a/rules/alert-rules/sigma/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code
-author: frack113
-date: 2021/07/12
-description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\SyncAppvPublishingServer.exe'
- SELECTION_3:
- CommandLine: '*"n; *'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- App-V clients
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: fbd7c32d-db2a-4418-b92c-566eb8911133
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/12
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
-- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
-related:
-- id: fde7929d-8beb-4a4c-b922-be9974671667
- type: obsoletes
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/alert-rules/sigma/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
deleted file mode 100644
index 6e69cacb..00000000
--- a/rules/alert-rules/sigma/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
-author: frack113
-date: 2021/07/16
-description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*\SyncAppvPublishingServer.vbs*'
- SELECTION_3:
- CommandLine: '*"n;*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/12
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
-- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-- attack.t1216
-yml_filename: process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_sysinternals_eula_accepted.yml b/rules/alert-rules/sigma/process_creation_sysinternals_eula_accepted.yml
deleted file mode 100644
index 8633931b..00000000
--- a/rules/alert-rules/sigma/process_creation_sysinternals_eula_accepted.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Usage of Sysinternals Tools
-author: Markus Neis
-date: 2017/08/28
-description: Detects the usage of Sysinternals Tools due to accepteula key being added
- to Registry
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '* -accepteula*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Legitimate use of SysInternals tools
-- Programs that use the same Registry Key
-id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
-level: low
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/12
-references:
-- https://twitter.com/Moti_B/status/1008587936735035392
-related:
-- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
- type: derived
-status: experimental
-tags:
-- attack.resource_development
-- attack.t1588.002
-yml_filename: process_creation_sysinternals_eula_accepted.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_sysmon_uac_bypass_eventvwr.yml b/rules/alert-rules/sigma/process_creation_sysmon_uac_bypass_eventvwr.yml
deleted file mode 100644
index 45f10a9a..00000000
--- a/rules/alert-rules/sigma/process_creation_sysmon_uac_bypass_eventvwr.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: UAC Bypass via Event Viewer
-author: Florian Roth
-date: 2017/03/19
-description: Detects UAC bypass method using Windows event viewer
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*\eventvwr.exe'
- SELECTION_3:
- Image: '*\mmc.exe'
- condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
-falsepositives:
-- unknown
-fields:
-- CommandLine
-- ParentCommandLine
-id: be344333-921d-4c4d-8bb8-e584cf584780
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/12
-references:
-- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
-- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
-related:
-- id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1088
-- attack.t1548.002
-- car.2019-04-001
-yml_filename: process_creation_sysmon_uac_bypass_eventvwr.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_tool_psexec.yml b/rules/alert-rules/sigma/process_creation_tool_psexec.yml
deleted file mode 100644
index 211ae88b..00000000
--- a/rules/alert-rules/sigma/process_creation_tool_psexec.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: PsExec Tool Execution
-author: Thomas Patzke
-date: 2017/06/12
-description: Detects PsExec service installation and execution events (service and
- Sysmon)
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\PSEXESVC.exe'
- SELECTION_3:
- User: NT AUTHORITY\SYSTEM*
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- unknown
-fields:
-- EventID
-- CommandLine
-- ParentCommandLine
-- ServiceName
-- ServiceFileName
-- TargetFilename
-- PipeName
-id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
-level: low
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/21
-references:
-- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
-- https://jpcertcc.github.io/ToolAnalysisResultSheet
-related:
-- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1035
-- attack.t1569.002
-- attack.s0029
-yml_filename: process_creation_tool_psexec.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creation_tttracer_mod_load.yml b/rules/alert-rules/sigma/process_creation_tttracer_mod_load.yml
deleted file mode 100644
index f716acce..00000000
--- a/rules/alert-rules/sigma/process_creation_tttracer_mod_load.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Time Travel Debugging Utility Usage
-author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative"
-date: 2020/10/06
-description: Detects usage of Time Travel Debugging Utility. Adversaries can execute
- malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*\tttracer.exe'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Legitimate usage by software developers/testers
-id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/21
-references:
-- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
-- https://twitter.com/mattifestation/status/1196390321783025666
-- https://twitter.com/oulusoyum/status/1191329746069655553
-related:
-- id: e76c8240-d68f-4773-8880-5c6f63595aaf
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.credential_access
-- attack.t1218
-- attack.t1003.001
-yml_filename: process_creation_tttracer_mod_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/process_creation_win_exchange_transportagent.yml b/rules/alert-rules/sigma/process_creation_win_exchange_transportagent.yml
deleted file mode 100644
index e318f8bc..00000000
--- a/rules/alert-rules/sigma/process_creation_win_exchange_transportagent.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: MSExchange Transport Agent Installation
-author: Tobias Michalski
-date: 2021/06/08
-description: Detects the Installation of a Exchange Transport Agent
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*Install-TransportAgent*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator
- for this.
-fields:
-- AssemblyPath
-id: 83809e84-4475-4b69-bc3e-4aad8568612f
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/19
-references:
-- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
-status: experimental
-tags:
-- attack.persistence
-- attack.t1505.002
-yml_filename: process_creation_win_exchange_transportagent.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_creationn_apt_chafer_mar18.yml b/rules/alert-rules/sigma/process_creationn_apt_chafer_mar18.yml
deleted file mode 100644
index a5408a61..00000000
--- a/rules/alert-rules/sigma/process_creationn_apt_chafer_mar18.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-title: Chafer Activity
-author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-date: 2018/03/23
-description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
- in March 2018
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*-q=TXT*'
- SELECTION_11:
- ParentImage: '*\Autoit*'
- SELECTION_2:
- CommandLine: '*\Service.exe*'
- SELECTION_3:
- CommandLine: '*i'
- SELECTION_4:
- CommandLine: '*u'
- SELECTION_5:
- CommandLine: '*\microsoft\Taskbar\autoit3.exe'
- SELECTION_6:
- CommandLine: C:\wsc.exe*
- SELECTION_7:
- Image: '*\Windows\Temp\DB\\*'
- SELECTION_8:
- Image: '*.exe'
- SELECTION_9:
- CommandLine: '*\nslookup.exe*'
- condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4)) or
- (SELECTION_5 or SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9
- and SELECTION_10 and SELECTION_11)))
-falsepositives:
-- Unknown
-id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/19
-references:
-- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
-related:
-- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
- type: derived
-tags:
-- attack.persistence
-- attack.g0049
-- attack.t1053
-- attack.t1053.005
-- attack.s0111
-- attack.t1050
-- attack.t1543.003
-- attack.defense_evasion
-- attack.t1112
-- attack.command_and_control
-- attack.t1071
-- attack.t1071.004
-yml_filename: process_creationn_apt_chafer_mar18.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_mailboxexport_share.yml b/rules/alert-rules/sigma/process_mailboxexport_share.yml
deleted file mode 100644
index cf36e8cd..00000000
--- a/rules/alert-rules/sigma/process_mailboxexport_share.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Suspicious PowerShell Mailbox Export to Share
-author: Florian Roth
-date: 2021/08/07
-description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox
- to a local share, as used in ProxyShell exploitations
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*New-MailboxExport*'
- SELECTION_3:
- CommandLine: '* -Mailbox *'
- SELECTION_4:
- CommandLine: '* -FilePath \\127.0.0.1\C$*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- unknown
-fields:
-- CommandLine
-- ParentCommandLine
-id: 889719ef-dd62-43df-86c3-768fb08dc7c0
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://youtu.be/5mqid-7zp8k?t=2481
-- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
-- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
-status: experimental
-tags:
-- attack.persistence
-- attack.t1505.003
-- attack.resource_development
-- attack.t1584.006
-yml_filename: process_mailboxexport_share.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/process_susp_esentutl_params.yml b/rules/alert-rules/sigma/process_susp_esentutl_params.yml
deleted file mode 100644
index 953d3e71..00000000
--- a/rules/alert-rules/sigma/process_susp_esentutl_params.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Esentutl Gather Credentials
-author: sam0x90
-date: 2021/08/06
-description: Conti recommendation to its affiliates to use esentult to access NTDS
- dumped file. Trickbot also uses this utilities to get MSEdge info via its module
- pwgrab.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*esentutl*'
- SELECTION_3:
- CommandLine: '* /p*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- To be determined
-fields:
-- User
-- CommandLine
-- ParentCommandLine
-- CurrentDirectory
-id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://twitter.com/vxunderground/status/1423336151860002816
-- https://attack.mitre.org/software/S0404/
-- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.003
-yml_filename: process_susp_esentutl_params.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/alert-rules/sigma/registry_event_abusing_windows_telemetry_for_persistence.yml
deleted file mode 100644
index e12e7430..00000000
--- a/rules/alert-rules/sigma/registry_event_abusing_windows_telemetry_for_persistence.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-title: Abusing Windows Telemetry For Persistence
-author: Sreeman
-date: 2020/09/29
-description: Windows telemetry makes use of the binary CompatTelRunner.exe to run
- a variety of commands and perform the actual telemetry collections. This binary
- was created to be easily extensible, and to that end, it relies on the registry
- to instruct on which commands to run. The problem is, it will run any arbitrary
- command without restriction of location or type.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- Details: '*.cmd'
- SELECTION_11:
- Details: '*.js'
- SELECTION_12:
- Details: '*.ps'
- SELECTION_13:
- Details: '*.vb'
- SELECTION_14:
- Details: '*.jar'
- SELECTION_15:
- Details: '*.hta'
- SELECTION_16:
- Details: '*.msi'
- SELECTION_17:
- Details: '*.vbs'
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\\*'
- SELECTION_5:
- Details: '*.sh'
- SELECTION_6:
- Details: '*.exe'
- SELECTION_7:
- Details: '*.dll'
- SELECTION_8:
- Details: '*.bin'
- SELECTION_9:
- Details: '*.bat'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17))
-falsepositives:
-- none
-fields:
-- EventID
-- CommandLine
-- TargetObject
-- Details
-id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/24
-references:
-- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.persistence
-- attack.t1112
-- attack.t1053
-yml_filename: registry_event_abusing_windows_telemetry_for_persistence.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_apt_chafer_mar18.yml b/rules/alert-rules/sigma/registry_event_apt_chafer_mar18.yml
deleted file mode 100644
index dc9fc1a8..00000000
--- a/rules/alert-rules/sigma/registry_event_apt_chafer_mar18.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: Chafer Activity
-author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-date: 2018/03/23
-description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
- in March 2018
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
- SELECTION_5:
- TargetObject: '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
-falsepositives:
-- Unknown
-id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/19
-references:
-- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
-related:
-- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
- type: derived
-tags:
-- attack.persistence
-- attack.g0049
-- attack.t1053
-- attack.t1053.005
-- attack.s0111
-- attack.t1050
-- attack.t1543.003
-- attack.defense_evasion
-- attack.t1112
-- attack.command_and_control
-- attack.t1071
-- attack.t1071.004
-yml_filename: registry_event_apt_chafer_mar18.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_apt_pandemic.yml b/rules/alert-rules/sigma/registry_event_apt_pandemic.yml
deleted file mode 100644
index c47925a6..00000000
--- a/rules/alert-rules/sigma/registry_event_apt_pandemic.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Pandemic Registry Key
-author: Florian Roth
-date: 2017/06/01
-description: Detects Pandemic Windows Implant
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\SYSTEM\CurrentControlSet\services\null\Instance*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- unknown
-fields:
-- EventID
-- CommandLine
-- ParentCommandLine
-- Image
-- User
-- TargetObject
-id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/12
-references:
-- https://wikileaks.org/vault7/#Pandemic
-- https://twitter.com/MalwareJake/status/870349480356454401
-status: experimental
-tags:
-- attack.lateral_movement
-- attack.t1105
-yml_filename: registry_event_apt_pandemic.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/alert-rules/sigma/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
deleted file mode 100644
index af6ee755..00000000
--- a/rules/alert-rules/sigma/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
-author: Sittikorn S
-date: 2021/07/16
-description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979
- CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32*'
- SELECTION_5:
- TargetObject: '*\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
- and IMJPUEXP.DLL)
-falsepositives:
-- Unlikely
-id: 32b5db62-cb5f-4266-9639-0fa48376ac00
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/09
-references:
-- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
-- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1566
-- attack.t1203
-- cve.2021.33771
-- cve.2021.31979
-yml_filename: registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_defender_disabled.yml b/rules/alert-rules/sigma/registry_event_defender_disabled.yml
deleted file mode 100644
index 15ec1e9d..00000000
--- a/rules/alert-rules/sigma/registry_event_defender_disabled.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-title: Windows Defender Threat Detection Disabled
-author: "J\xE1n Tren\u010Dansk\xFD, frack113, AlertIQ"
-date: 2020/07/28
-description: Detects disabling Windows Defender threat protection
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- Details: DWORD (0x00000001)
- SELECTION_5:
- EventType: SetValue
- SELECTION_6:
- TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
- SELECTION_7:
- TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
- SELECTION_8:
- TargetObject: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
- SELECTION_9:
- TargetObject: HKLM\SOFTWARE\Microsoft\Windows Defender
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and ((SELECTION_5
- and (SELECTION_6 or SELECTION_7)) or (SELECTION_8 or SELECTION_9 or SELECTION_10)))
-falsepositives:
-- Administrator actions
-id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/10/18
-references:
-- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
-- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
-related:
-- id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
- type: derived
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1089
-- attack.t1562.001
-yml_filename: registry_event_defender_disabled.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_defender_exclusions.yml b/rules/alert-rules/sigma/registry_event_defender_exclusions.yml
deleted file mode 100644
index 6024d048..00000000
--- a/rules/alert-rules/sigma/registry_event_defender_exclusions.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Windows Defender Exclusions Added
-author: Christian Burkard
-date: 2021/07/06
-description: Detects the Setting of Windows Defender Exclusions
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: SetValue
- SELECTION_5:
- TargetObject: '*\Microsoft\Windows Defender\Exclusions*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
-falsepositives:
-- Administrator actions
-id: a982fc9c-6333-4ffb-a51d-addb04e8b529
-level: medium
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/21
-references:
-- https://twitter.com/_nullbind/status/1204923340810543109
-related:
-- id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
- type: derived
-status: test
-tags:
-- attack.defense_evasion
-- attack.t1089
-- attack.t1562.001
-yml_filename: registry_event_defender_exclusions.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_defender_realtime_protection_disabled.yml b/rules/alert-rules/sigma/registry_event_defender_realtime_protection_disabled.yml
deleted file mode 100644
index a8dc12e1..00000000
--- a/rules/alert-rules/sigma/registry_event_defender_realtime_protection_disabled.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-title: Windows Defender Real-Time Protection Disabled
-author: AlertIQ
-date: 2021/10/18
-description: Detects disabling Windows Defender Real-Time Protection by modifying
- registry
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeen
- SELECTION_11:
- Details: DWORD (0x00000001)
- SELECTION_12:
- TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting
- SELECTION_13:
- TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent
- SELECTION_14:
- Details: DWORD (0x00000000)
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: SetValue
- SELECTION_5:
- TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time
- Protection\DisableBehaviorMonitoring
- SELECTION_6:
- TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time
- Protection\DisableIOAVProtection
- SELECTION_7:
- TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time
- Protection\DisableOnAccessProtection
- SELECTION_8:
- TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time
- Protection\DisableRealtimeMonitoring
- SELECTION_9:
- TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time
- Protection\DisableScanOnRealtimeEnable
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and (((SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
- and SELECTION_11) or ((SELECTION_12 or SELECTION_13) and SELECTION_14)))
-falsepositives:
-- Administrator actions
-id: fd115e64-97c7-491f-951c-fc8da7e042fa
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
-- https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562.001
-yml_filename: registry_event_defender_realtime_protection_disabled.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_dns_serverlevelplugindll.yml b/rules/alert-rules/sigma/registry_event_dns_serverlevelplugindll.yml
deleted file mode 100644
index dce5fccf..00000000
--- a/rules/alert-rules/sigma/registry_event_dns_serverlevelplugindll.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: DNS ServerLevelPluginDll Install
-author: Florian Roth
-date: 2017/05/08
-description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter
- in Registry, which can be used to execute code in context of the DNS server (restart
- required)
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- unknown
-fields:
-- EventID
-- CommandLine
-- ParentCommandLine
-- Image
-- User
-- TargetObject
-id: e61e8a88-59a9-451c-874e-70fcc9740d67
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/12
-references:
-- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1073
-- attack.t1574.002
-- attack.t1112
-yml_filename: registry_event_dns_serverlevelplugindll.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_mal_adwind.yml b/rules/alert-rules/sigma/registry_event_mal_adwind.yml
deleted file mode 100644
index a09ac413..00000000
--- a/rules/alert-rules/sigma/registry_event_mal_adwind.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Adwind RAT / JRAT
-author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
-date: 2017/11/10
-description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
- SELECTION_5:
- Details: '%AppData%\Roaming\Oracle\bin\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
-id: 42f0e038-767e-4b85-9d96-2c6335bad0b5
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/19
-references:
-- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
-- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
-related:
-- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.005
-- attack.t1059.007
-- attack.t1064
-yml_filename: registry_event_mal_adwind.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_mal_azorult.yml b/rules/alert-rules/sigma/registry_event_mal_azorult.yml
deleted file mode 100644
index 7e90f151..00000000
--- a/rules/alert-rules/sigma/registry_event_mal_azorult.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Registry Entries For Azorult Malware
-author: Trent Liffick
-date: 2020/05/08
-description: Detects the presence of a registry key created during Azorult execution
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventID: 12
- SELECTION_5:
- EventID: 13
- SELECTION_6:
- TargetObject: '*SYSTEM\\*'
- SELECTION_7:
- TargetObject: '*\services\localNETService'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
- and SELECTION_6 and SELECTION_7)
-falsepositives:
-- unknown
-fields:
-- Image
-- TargetObject
-- TargetDetails
-id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
-level: critical
-logsource:
- category: registry_event
- product: windows
-references:
-- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
-status: experimental
-tags:
-- attack.execution
-- attack.t1112
-yml_filename: registry_event_mal_azorult.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/registry_event_mal_blue_mockingbird.yml b/rules/alert-rules/sigma/registry_event_mal_blue_mockingbird.yml
deleted file mode 100644
index 5ac84705..00000000
--- a/rules/alert-rules/sigma/registry_event_mal_blue_mockingbird.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Blue Mockingbird
-author: Trent Liffick (@tliffick)
-date: 2020/05/14
-description: Attempts to detect system changes made by Blue Mockingbird
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- unknown
-id: 92b0b372-a939-44ed-a11b-5136cf680e27
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/11
-references:
-- https://redcanary.com/blog/blue-mockingbird-cryptominer/
-related:
-- id: c3198a27-23a0-4c2c-af19-e5328d49680e
- type: derived
-status: experimental
-tags:
-- attack.execution
-- attack.t1112
-- attack.t1047
-yml_filename: registry_event_mal_blue_mockingbird.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/registry_event_mal_flowcloud.yml b/rules/alert-rules/sigma/registry_event_mal_flowcloud.yml
deleted file mode 100644
index 2efc74a7..00000000
--- a/rules/alert-rules/sigma/registry_event_mal_flowcloud.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: FlowCloud Malware
-author: NVISO
-date: 2020/06/09
-description: Detects FlowCloud malware from threat group TA410.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}
- SELECTION_5:
- TargetObject: HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}
- SELECTION_6:
- TargetObject: HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}
- SELECTION_7:
- TargetObject: HKLM\SYSTEM\Setup\PrintResponsor\\*
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 or SELECTION_5
- or SELECTION_6) or (SELECTION_7)))
-falsepositives:
-- Unknown
-id: 5118765f-6657-4ddb-a487-d7bd673abbf1
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2021/07/22
-references:
-- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
-status: experimental
-tags:
-- attack.persistence
-- attack.t1112
-yml_filename: registry_event_mal_flowcloud.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/registry_event_mal_ursnif.yml b/rules/alert-rules/sigma/registry_event_mal_ursnif.yml
deleted file mode 100644
index 85992436..00000000
--- a/rules/alert-rules/sigma/registry_event_mal_ursnif.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Ursnif
-author: megan201296
-date: 2019/02/13
-description: Detects new registry key created by Ursnif malware.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*'
- SELECTION_5:
- TargetObject: '*\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\\*'
- SELECTION_6:
- TargetObject: '*\SOFTWARE\AppDataLow\Software\Microsoft\RepService\\*'
- SELECTION_7:
- TargetObject: '*\SOFTWARE\AppDataLow\Software\Microsoft\IME\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and not
- ((SELECTION_5 or SELECTION_6 or SELECTION_7)))
-falsepositives:
-- Unknown
-id: 21f17060-b282-4249-ade0-589ea3591558
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2021/10/28
-references:
-- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
-- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
-status: experimental
-tags:
-- attack.execution
-- attack.t1112
-yml_filename: registry_event_mal_ursnif.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
-
diff --git a/rules/alert-rules/sigma/registry_event_mstsc_history_cleared.yml b/rules/alert-rules/sigma/registry_event_mstsc_history_cleared.yml
deleted file mode 100644
index 931cc857..00000000
--- a/rules/alert-rules/sigma/registry_event_mstsc_history_cleared.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Terminal Server Client Connection History Cleared
-author: Christian Burkard
-date: 2021/10/19
-description: Detects the deletion of registry keys containing the MSTSC connection
- history
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: DeleteValue
- SELECTION_5:
- TargetObject: '*\Microsoft\Terminal Server Client\Default\MRU*'
- SELECTION_6:
- EventType: DeleteKey
- SELECTION_7:
- TargetObject: '*\Microsoft\Terminal Server Client\Servers\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and
- SELECTION_5) or (SELECTION_6 and SELECTION_7)))
-falsepositives:
-- unknown
-id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
-- http://woshub.com/how-to-clear-rdp-connections-history/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1070
-- attack.t1112
-yml_filename: registry_event_mstsc_history_cleared.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_net_ntlm_downgrade.yml b/rules/alert-rules/sigma/registry_event_net_ntlm_downgrade.yml
deleted file mode 100644
index df4116b9..00000000
--- a/rules/alert-rules/sigma/registry_event_net_ntlm_downgrade.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: NetNTLM Downgrade Attack
-author: Florian Roth, wagga
-date: 2018/03/20
-description: Detects NetNTLM downgrade attack
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*SYSTEM\\*'
- SELECTION_5:
- TargetObject: '*ControlSet*'
- SELECTION_6:
- TargetObject: '*\Control\Lsa*'
- SELECTION_7:
- TargetObject: '*\lmcompatibilitylevel'
- SELECTION_8:
- TargetObject: '*\NtlmMinClientSec'
- SELECTION_9:
- TargetObject: '*\RestrictSendingNTLMTraffic'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and SELECTION_6 and (SELECTION_7 or SELECTION_8 or SELECTION_9))
-falsepositives:
-- Unknown
-id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/21
-references:
-- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
-tags:
-- attack.defense_evasion
-- attack.t1089
-- attack.t1562.001
-- attack.t1112
-yml_filename: registry_event_net_ntlm_downgrade.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_stickykey_like_backdoor.yml b/rules/alert-rules/sigma/registry_event_stickykey_like_backdoor.yml
deleted file mode 100644
index 9a9a1605..00000000
--- a/rules/alert-rules/sigma/registry_event_stickykey_like_backdoor.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-title: Sticky Key Like Backdoor Usage
-author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
-date: 2018/03/15
-description: Detects the usage and installation of a backdoor that uses an option
- to register a malicious debugger for built-in tools that are accessible in the
- login screen
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
- Options\sethc.exe\Debugger'
- SELECTION_5:
- TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
- Options\utilman.exe\Debugger'
- SELECTION_6:
- TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
- Options\osk.exe\Debugger'
- SELECTION_7:
- TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
- Options\Magnify.exe\Debugger'
- SELECTION_8:
- TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
- Options\Narrator.exe\Debugger'
- SELECTION_9:
- TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
- Options\DisplaySwitch.exe\Debugger'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
-falsepositives:
-- Unlikely
-id: baca5663-583c-45f9-b5dc-ea96a22ce542
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/12
-references:
-- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
-tags:
-- attack.privilege_escalation
-- attack.persistence
-- attack.t1015
-- attack.t1546.008
-- car.2014-11-003
-- car.2014-11-008
-yml_filename: registry_event_stickykey_like_backdoor.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_sysinternals_eula_accepted.yml b/rules/alert-rules/sigma/registry_event_sysinternals_eula_accepted.yml
deleted file mode 100644
index 566637c5..00000000
--- a/rules/alert-rules/sigma/registry_event_sysinternals_eula_accepted.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Usage of Sysinternals Tools
-author: Markus Neis
-date: 2017/08/28
-description: Detects the usage of Sysinternals Tools due to accepteula key being added
- to Registry
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\EulaAccepted'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- Legitimate use of SysInternals tools
-- Programs that use the same Registry Key
-id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
-level: low
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/12
-references:
-- https://twitter.com/Moti_B/status/1008587936735035392
-status: experimental
-tags:
-- attack.resource_development
-- attack.t1588.002
-yml_filename: registry_event_sysinternals_eula_accepted.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_uac_bypass_eventvwr.yml b/rules/alert-rules/sigma/registry_event_uac_bypass_eventvwr.yml
deleted file mode 100644
index f8601d33..00000000
--- a/rules/alert-rules/sigma/registry_event_uac_bypass_eventvwr.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: UAC Bypass via Event Viewer
-author: Florian Roth
-date: 2017/03/19
-description: Detects UAC bypass method using Windows event viewer
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKCU\\*
- SELECTION_5:
- TargetObject: '*\mscfile\shell\open\command'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
-falsepositives:
-- unknown
-id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/12
-references:
-- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
-- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1088
-- attack.t1548.002
-- car.2019-04-001
-yml_filename: registry_event_uac_bypass_eventvwr.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_uac_bypass_winsat.yml b/rules/alert-rules/sigma/registry_event_uac_bypass_winsat.yml
deleted file mode 100644
index 41e7811b..00000000
--- a/rules/alert-rules/sigma/registry_event_uac_bypass_winsat.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: UAC Bypass Abusing Winsat Path Parsing - Registry
-author: Christian Burkard
-date: 2021/08/30
-description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe
- (UACMe 52)
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Root\InventoryApplicationFile\winsat.exe|*'
- SELECTION_5:
- TargetObject: '*\LowerCaseLongPath'
- SELECTION_6:
- Details: c:\users\\*
- SELECTION_7:
- Details: '*\appdata\local\temp\system32\winsat.exe'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and SELECTION_6 and SELECTION_7)
-falsepositives:
-- Unknown
-id: 6597be7b-ac61-4ac8-bef4-d3ec88174853
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: registry_event_uac_bypass_winsat.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/registry_event_uac_bypass_wmp.yml b/rules/alert-rules/sigma/registry_event_uac_bypass_wmp.yml
deleted file mode 100644
index e02b9190..00000000
--- a/rules/alert-rules/sigma/registry_event_uac_bypass_wmp.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: UAC Bypass Using Windows Media Player - Registry
-author: Christian Burkard
-date: 2021/08/23
-description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll
- (UACMe 32)
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility
- Assistant\Store\C:\Program Files\Windows Media Player\osk.exe'
- SELECTION_5:
- Details: Binary Data
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
-falsepositives:
-- Unknown
-id: 5f9db380-ea57-4d1e-beab-8a2d33397e93
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: registry_event_uac_bypass_wmp.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/silenttrinity_stager_msbuild_activity.yml b/rules/alert-rules/sigma/silenttrinity_stager_msbuild_activity.yml
deleted file mode 100644
index 4d9187d0..00000000
--- a/rules/alert-rules/sigma/silenttrinity_stager_msbuild_activity.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Silenttrinity Stager Msbuild Activity
-author: Kiran kumar s, oscd.community
-date: 2020/10/11
-description: Detects a possible remote connections to Silenttrinity c2
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_2:
- Image: '*\msbuild.exe'
- SELECTION_3:
- DestinationPort: '80'
- SELECTION_4:
- DestinationPort: '443'
- SELECTION_5:
- Initiated: 'true'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4) and SELECTION_5)
-falsepositives:
-- unknown
-id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
-level: high
-logsource:
- category: network_connection
- product: windows
-references:
-- https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
-status: experimental
-tags:
-- attack.execution
-- attack.t1127.001
-yml_filename: silenttrinity_stager_msbuild_activity.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_abusing_azure_browser_sso.yml b/rules/alert-rules/sigma/sysmon_abusing_azure_browser_sso.yml
deleted file mode 100644
index 831dcd32..00000000
--- a/rules/alert-rules/sigma/sysmon_abusing_azure_browser_sso.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Abusing Azure Browser SSO
-author: Den Iuzvyk
-date: 2020/07/15
-description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens
- for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure
- AD and a user logs in with their Azure AD account) wanting to perform SSO authentication
- in the browser. An attacker can use this to authenticate to Azure AD in a browser
- as that user.
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- ImageLoaded: '*MicrosoftAccountTokenProvider.dll'
- SELECTION_3:
- Image: '*BackgroundTaskHost.exe'
- SELECTION_4:
- Image: '*devenv.exe'
- SELECTION_5:
- Image: '*iexplore.exe'
- SELECTION_6:
- Image: '*MicrosoftEdge.exe'
- condition: (SELECTION_1 and SELECTION_2 and not ((SELECTION_3 or SELECTION_4
- or SELECTION_5 or SELECTION_6)))
-falsepositives:
-- unknown
-id: 50f852e6-af22-4c78-9ede-42ef36aa3453
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2020/12/23
-references:
-- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1073
-- attack.t1574.002
-yml_filename: sysmon_abusing_azure_browser_sso.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_abusing_debug_privilege.yml b/rules/alert-rules/sigma/sysmon_abusing_debug_privilege.yml
deleted file mode 100644
index 80ebcf10..00000000
--- a/rules/alert-rules/sigma/sysmon_abusing_debug_privilege.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-title: Abused Debug Privilege by Arbitrary Parent Processes
-author: Semanur Guneysu @semanurtg, oscd.community
-date: 2020/10/28
-description: Detection of unusual child processes by different system processes
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- Image: '*\powershell.exe'
- SELECTION_11:
- Image: '*\cmd.exe'
- SELECTION_12:
- User: NT AUTHORITY\SYSTEM*
- SELECTION_13:
- User: AUTORITE NT\Sys*
- SELECTION_14:
- CommandLine: '* route *'
- SELECTION_15:
- CommandLine: '* ADD *'
- SELECTION_2:
- ParentImage: '*\winlogon.exe'
- SELECTION_3:
- ParentImage: '*\services.exe'
- SELECTION_4:
- ParentImage: '*\lsass.exe'
- SELECTION_5:
- ParentImage: '*\csrss.exe'
- SELECTION_6:
- ParentImage: '*\smss.exe'
- SELECTION_7:
- ParentImage: '*\wininit.exe'
- SELECTION_8:
- ParentImage: '*\spoolsv.exe'
- SELECTION_9:
- ParentImage: '*\searchindexer.exe'
- condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and (SELECTION_10
- or SELECTION_11) and (SELECTION_12 or SELECTION_13)) and not (SELECTION_14
- and SELECTION_15))
-falsepositives:
-- unknown
-fields:
-- ParentImage
-- Image
-- User
-- CommandLine
-id: d522eca2-2973-4391-a3e0-ef0374321dae
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
-status: experimental
-tags:
-- attack.privilege_escalation
-- attack.t1548
-yml_filename: sysmon_abusing_debug_privilege.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/alert-rules/sigma/sysmon_accesschk_usage_after_priv_escalation.yml
deleted file mode 100644
index d9ca2554..00000000
--- a/rules/alert-rules/sigma/sysmon_accesschk_usage_after_priv_escalation.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Accesschk Usage After Privilege Escalation
-author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
-date: 2020/10/13
-description: Accesschk is an access and privilege audit tool developed by SysInternal
- and often being used by attacker to verify if a privilege escalation process successful
- or not
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- IntegrityLevel: Medium
- SELECTION_3:
- Product: '*AccessChk'
- SELECTION_4:
- Description: '*Reports effective permissions*'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- System administrator Usage
-- Penetration test
-fields:
-- IntegrityLevel
-- Product
-- Description
-id: c625d754-6a3d-4f65-9c9a-536aea960d37
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg
-status: experimental
-tags:
-- attack.discovery
-- attack.t1069.001
-yml_filename: sysmon_accesschk_usage_after_priv_escalation.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/alert-rules/sigma/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
deleted file mode 100644
index 4d8d7f47..00000000
--- a/rules/alert-rules/sigma/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Accessing WinAPI in PowerShell for Credentials Dumping
-author: oscd.community, Natalia Shornikova
-date: 2020/10/06
-description: Detects Accessing to lsass.exe by Powershell
-detection:
- SELECTION_1:
- EventID: 8
- SELECTION_2:
- EventID: 10
- SELECTION_3:
- SourceImage: '*\powershell.exe'
- SELECTION_4:
- TargetImage: '*\lsass.exe'
- condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-id: 3f07b9d1-2082-4c56-9277-613a621983cc
-level: high
-logsource:
- product: windows
- service: sysmon
-modified: 2021/05/24
-references:
-- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003.001
-yml_filename: sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/sysmon
-
diff --git a/rules/alert-rules/sigma/sysmon_ads_executable.yml b/rules/alert-rules/sigma/sysmon_ads_executable.yml
deleted file mode 100644
index 8a7f594b..00000000
--- a/rules/alert-rules/sigma/sysmon_ads_executable.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Executable in ADS
-author: Florian Roth, @0xrawsec
-date: 2018/06/03
-description: Detects the creation of an ADS data stream that contains an executable
- (non-empty imphash)
-detection:
- SELECTION_1:
- EventID: 15
- SELECTION_2:
- Imphash: '00000000000000000000000000000000'
- SELECTION_3:
- Imphash|re: ^$
- condition: (SELECTION_1 and not ((SELECTION_2) or (SELECTION_3)))
-falsepositives:
-- unknown
-fields:
-- TargetFilename
-- Image
-id: b69888d4-380c-45ce-9cf9-d9ce46e67821
-level: critical
-logsource:
- category: create_stream_hash
- definition: 'Requirements: Sysmon config with Imphash logging activated'
- product: windows
-modified: 2020/08/26
-references:
-- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027
-- attack.s0139
-- attack.t1564.004
-yml_filename: sysmon_ads_executable.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_stream_hash
-
diff --git a/rules/alert-rules/sigma/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/alert-rules/sigma/sysmon_alternate_powershell_hosts_moduleload.yml
deleted file mode 100644
index 8082143e..00000000
--- a/rules/alert-rules/sigma/sysmon_alternate_powershell_hosts_moduleload.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Alternate PowerShell Hosts
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2019/09/12
-description: Detects alternate PowerShell hosts potentially bypassing detections looking
- for powershell.exe
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Description: System.Management.Automation
- SELECTION_3:
- ImageLoaded: '*System.Management.Automation*'
- SELECTION_4:
- Image: '*\powershell.exe'
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4))
-falsepositives:
-- Unknown
-id: fe6e002f-f244-4278-9263-20e4b593827f
-level: medium
-logsource:
- category: image_load
- product: windows
-modified: 2021/05/12
-references:
-- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-yml_filename: sysmon_alternate_powershell_hosts_moduleload.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_alternate_powershell_hosts_pipe.yml b/rules/alert-rules/sigma/sysmon_alternate_powershell_hosts_pipe.yml
deleted file mode 100644
index 879231e4..00000000
--- a/rules/alert-rules/sigma/sysmon_alternate_powershell_hosts_pipe.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Alternate PowerShell Hosts Pipe
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/09/12
-description: Detects alternate PowerShell hosts potentially bypassing detections looking
- for powershell.exe
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_2:
- EventID: 18
- SELECTION_3:
- PipeName: \PSHost*
- SELECTION_4:
- Image: '*\powershell.exe'
- SELECTION_5:
- Image: '*\powershell_ise.exe'
- condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and not ((SELECTION_4
- or SELECTION_5)))
-falsepositives:
-- Programs using PowerShell directly without invocation of a dedicated interpreter.
-fields:
-- ComputerName
-- User
-- Image
-- PipeName
-id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
-level: medium
-logsource:
- category: pipe_created
- product: windows
-modified: 2019/11/10
-references:
-- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
-status: experimental
-tags:
-- attack.execution
-- attack.t1086
-- attack.t1059.001
-yml_filename: sysmon_alternate_powershell_hosts_pipe.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/alert-rules/sigma/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
deleted file mode 100644
index 446239d2..00000000
--- a/rules/alert-rules/sigma/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Always Install Elevated MSI Spawned Cmd And Powershell
-author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
-date: 2020/10/13
-description: This rule will looks for Windows Installer service (msiexec.exe) spawned
- command line and/or powershell
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\cmd.exe'
- SELECTION_3:
- Image: '*\powershell.exe'
- SELECTION_4:
- ParentImage: '*\Windows\Installer\\*'
- SELECTION_5:
- ParentImage: '*msi*'
- SELECTION_6:
- ParentImage: '*tmp'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and (SELECTION_6))
-falsepositives:
-- Penetration test
-fields:
-- Image
-- ParentImage
-id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
-status: experimental
-tags:
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_always_install_elevated_windows_installer.yml b/rules/alert-rules/sigma/sysmon_always_install_elevated_windows_installer.yml
deleted file mode 100644
index 7763aedf..00000000
--- a/rules/alert-rules/sigma/sysmon_always_install_elevated_windows_installer.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: Always Install Elevated Windows Installer
-author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
-date: 2020/10/13
-description: This rule will looks for Windows Installer service (msiexec.exe) when
- it tries to install MSI packages with SYSTEM privilege
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- User: NT AUTHORITY\SYSTEM*
- SELECTION_3:
- User: AUTORITE NT\Sys*
- SELECTION_4:
- Image: '*\Windows\Installer\\*'
- SELECTION_5:
- Image: '*msi*'
- SELECTION_6:
- Image: '*tmp'
- SELECTION_7:
- Image: '*\msiexec.exe'
- SELECTION_8:
- IntegrityLevel: System
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and ((SELECTION_4 and
- SELECTION_5 and (SELECTION_6)) or ((SELECTION_7) and SELECTION_8)))
-falsepositives:
-- System administrator Usage
-- Penetration test
-fields:
-- IntegrityLevel
-- User
-- Image
-id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/08/26
-references:
-- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
-status: experimental
-tags:
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: sysmon_always_install_elevated_windows_installer.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_apt_leviathan.yml b/rules/alert-rules/sigma/sysmon_apt_leviathan.yml
deleted file mode 100644
index 2b7dcc7d..00000000
--- a/rules/alert-rules/sigma/sysmon_apt_leviathan.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Leviathan Registry Key Activity
-author: Aidan Bracher
-date: 2020/07/07
-description: Detects registry key used by Leviathan APT in Malaysian focused campaign
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntkd
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-id: 70d43542-cd2d-483c-8f30-f16b436fd7db
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/13
-references:
-- https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
-status: experimental
-tags:
-- attack.persistence
-- attack.t1060
-- attack.t1547.001
-yml_filename: sysmon_apt_leviathan.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_apt_muddywater_dnstunnel.yml b/rules/alert-rules/sigma/sysmon_apt_muddywater_dnstunnel.yml
deleted file mode 100644
index 11447140..00000000
--- a/rules/alert-rules/sigma/sysmon_apt_muddywater_dnstunnel.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: DNS Tunnel Technique from MuddyWater
-author: '@caliskanfurkan_'
-date: 2020/06/04
-description: Detecting DNS tunnel activity for Muddywater actor
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\powershell.exe'
- SELECTION_3:
- ParentImage: '*\excel.exe'
- SELECTION_4:
- CommandLine: '*DataExchange.dll*'
- condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3) and (SELECTION_4))
-falsepositives:
-- Unknown
-id: 36222790-0d43-4fe8-86e4-674b27809543
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
-- https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
-status: experimental
-tags:
-- attack.command_and_control
-- attack.t1071
-- attack.t1071.004
-yml_filename: sysmon_apt_muddywater_dnstunnel.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_apt_oceanlotus_registry.yml b/rules/alert-rules/sigma/sysmon_apt_oceanlotus_registry.yml
deleted file mode 100644
index 13a3e82a..00000000
--- a/rules/alert-rules/sigma/sysmon_apt_oceanlotus_registry.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-title: OceanLotus Registry Activity
-author: megan201296, Jonhnathan Ribeiro
-date: 2019/04/14
-description: Detects registry keys created in OceanLotus (also known as APT32) attacks
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- TargetObject: '*Application'
- SELECTION_11:
- TargetObject: '*DefaultIcon'
- SELECTION_12:
- TargetObject: HKCU\\*
- SELECTION_13:
- TargetObject: '*Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\\*'
- SELECTION_14:
- TargetObject: '*Classes\AppX3bbba44c6cae4d9695755183472171e2\\*'
- SELECTION_15:
- TargetObject: '*Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\*'
- SELECTION_16:
- TargetObject: '*Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model*'
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKCU\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model
- SELECTION_5:
- TargetObject: HKCU\SOFTWARE\App\\*
- SELECTION_6:
- TargetObject: HKLM\SOFTWARE\App\\*
- SELECTION_7:
- TargetObject: '*AppXbf13d4ea2945444d8b13e2121cb6b663\\*'
- SELECTION_8:
- TargetObject: '*AppX70162486c7554f7f80f481985d67586d\\*'
- SELECTION_9:
- TargetObject: '*AppX37cc7fdccd644b4f85f4b22d5a3f105a\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 or ((SELECTION_5
- or SELECTION_6) and (SELECTION_7 or SELECTION_8 or SELECTION_9) and (SELECTION_10
- or SELECTION_11))) or ((SELECTION_12) and (SELECTION_13 or SELECTION_14 or
- SELECTION_15 or SELECTION_16))))
-falsepositives:
-- Unknown
-id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/17
-references:
-- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
-- https://github.com/eset/malware-ioc/tree/master/oceanlotus
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1112
-yml_filename: sysmon_apt_oceanlotus_registry.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_apt_sourgrum.yml b/rules/alert-rules/sigma/sysmon_apt_sourgrum.yml
deleted file mode 100644
index 47735b3f..00000000
--- a/rules/alert-rules/sigma/sysmon_apt_sourgrum.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-title: SOURGUM Actor Behaviours
-author: MSTIC, FPT.EagleEye
-date: 2021/06/15
-description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32*'
- SELECTION_11:
- CommandLine: '*HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32*'
- SELECTION_2:
- Image: '*windows\system32\Physmem.sys*'
- SELECTION_3:
- Image: '*Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
- SELECTION_4:
- Image: '*Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
- SELECTION_5:
- Image: '*Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
- SELECTION_6:
- EventID: 1
- SELECTION_7:
- Image: '*windows\system32\filepath2*'
- SELECTION_8:
- Image: '*windows\system32\ime*'
- SELECTION_9:
- CommandLine: '*reg add*'
- condition: (SELECTION_1 and ((SELECTION_2 or (SELECTION_3 or SELECTION_4 or SELECTION_5))
- or (SELECTION_6 and (SELECTION_7 or SELECTION_8) and (SELECTION_9) and (SELECTION_10
- or SELECTION_11))))
-falsepositives:
-- Unknown
-id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/07/30
-references:
-- https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
-- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml
-- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
-status: experimental
-tags:
-- attack.t1546
-- attack.t1546.015
-- attack.persistence
-- attack.privilege_escalation
-yml_filename: sysmon_apt_sourgrum.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_apt_turla_namedpipes.yml b/rules/alert-rules/sigma/sysmon_apt_turla_namedpipes.yml
deleted file mode 100644
index 1c33360c..00000000
--- a/rules/alert-rules/sigma/sysmon_apt_turla_namedpipes.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Turla Group Named Pipes
-author: Markus Neis
-date: 2017/11/06
-description: Detects a named pipe used by Turla group samples
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_2:
- EventID: 18
- SELECTION_3:
- PipeName: \atctl
- SELECTION_4:
- PipeName: \userpipe
- SELECTION_5:
- PipeName: \iehelper
- SELECTION_6:
- PipeName: \sdlrpc
- SELECTION_7:
- PipeName: \comnap
- condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7))
-falsepositives:
-- Unknown
-id: 739915e4-1e70-4778-8b8a-17db02f66db1
-level: critical
-logsource:
- category: pipe_created
- definition: Note that you have to configure logging for Named Pipe Events in Sysmon
- config (Event ID 17 and Event ID 18). The basic configuration is in popular
- sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
- it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
- https://github.com/olafhartong/sysmon-modular. How to test detection? You
- can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- product: windows
-references:
-- Internal Research
-status: experimental
-tags:
-- attack.g0010
-yml_filename: sysmon_apt_turla_namedpipes.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/sysmon_asep_reg_keys_modification.yml b/rules/alert-rules/sigma/sysmon_asep_reg_keys_modification.yml
deleted file mode 100644
index 8eae5e70..00000000
--- a/rules/alert-rules/sigma/sysmon_asep_reg_keys_modification.yml
+++ /dev/null
@@ -1,347 +0,0 @@
-title: Autorun Keys Modification
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin,
- oscd.community, Tim Shelton
-date: 2019/10/25
-description: Detects modification of autostart extensibility point (ASEP) in registry.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- TargetObject: '*\Software\Microsoft\Ctf\LangBarAddin*'
- SELECTION_100:
- TargetObject: '*\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance*'
- SELECTION_101:
- TargetObject: '*\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance*'
- SELECTION_102:
- TargetObject: '*\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance*'
- SELECTION_103:
- TargetObject: '*\AllFileSystemObjects\ShellEx\DragDropHandlers*'
- SELECTION_104:
- TargetObject: '*\ShellEx\PropertySheetHandlers*'
- SELECTION_105:
- TargetObject: '*\ShellEx\ContextMenuHandlers*'
- SELECTION_106:
- TargetObject: '*\Software\Classes*'
- SELECTION_107:
- TargetObject: '*\Folder\ShellEx\ExtShellFolderViews*'
- SELECTION_108:
- TargetObject: '*\Folder\ShellEx\DragDropHandlers*'
- SELECTION_109:
- TargetObject: '*\Folder\Shellex\ColumnHandlers*'
- SELECTION_11:
- TargetObject: '*\Software\Microsoft\Command Processor\Autorun*'
- SELECTION_110:
- TargetObject: '*\Filter*'
- SELECTION_111:
- TargetObject: '*\Exefile\Shell\Open\Command\(Default)*'
- SELECTION_112:
- TargetObject: '*\Directory\Shellex\DragDropHandlers*'
- SELECTION_113:
- TargetObject: '*\Directory\Shellex\CopyHookHandlers*'
- SELECTION_114:
- TargetObject: '*\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance*'
- SELECTION_115:
- TargetObject: '*\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance*'
- SELECTION_116:
- TargetObject: '*\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance*'
- SELECTION_117:
- TargetObject: '*\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance*'
- SELECTION_118:
- TargetObject: '*\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers*'
- SELECTION_119:
- TargetObject: '*\.exe*'
- SELECTION_12:
- TargetObject: '*\SOFTWARE\Microsoft\Active Setup\Installed Components*'
- SELECTION_120:
- TargetObject: '*\.cmd*'
- SELECTION_121:
- TargetObject: '*\ShellEx\PropertySheetHandlers*'
- SELECTION_122:
- TargetObject: '*\ShellEx\ContextMenuHandlers*'
- SELECTION_123:
- TargetObject: '*\Software\Policies\Microsoft\Windows\System\Scripts*'
- SELECTION_124:
- TargetObject: '*\Startup*'
- SELECTION_125:
- TargetObject: '*\Shutdown*'
- SELECTION_126:
- TargetObject: '*\Logon*'
- SELECTION_127:
- TargetObject: '*\Logoff*'
- SELECTION_128:
- TargetObject: '*\System\CurrentControlSet\Services\WinSock2\Parameters*'
- SELECTION_129:
- TargetObject: '*\Protocol_Catalog9\Catalog_Entries*'
- SELECTION_13:
- TargetObject: '*\SOFTWARE\Classes\Protocols\Handler*'
- SELECTION_130:
- TargetObject: '*\NameSpace_Catalog5\Catalog_Entries*'
- SELECTION_131:
- TargetObject: '*\SYSTEM\CurrentControlSet\Control*'
- SELECTION_132:
- TargetObject: '*\Terminal Server\WinStations\RDP-Tcp\InitialProgram*'
- SELECTION_133:
- TargetObject: '*\Terminal Server\Wds\rdpwd\StartupPrograms*'
- SELECTION_134:
- TargetObject: '*\SecurityProviders\SecurityProviders*'
- SELECTION_135:
- TargetObject: '*\SafeBoot\AlternateShell*'
- SELECTION_136:
- TargetObject: '*\Print\Providers*'
- SELECTION_137:
- TargetObject: '*\Print\Monitors*'
- SELECTION_138:
- TargetObject: '*\NetworkProvider\Order*'
- SELECTION_139:
- TargetObject: '*\Lsa\Notification Packages*'
- SELECTION_14:
- TargetObject: '*\SOFTWARE\Classes\Protocols\Filter*'
- SELECTION_140:
- TargetObject: '*\Lsa\Authentication Packages*'
- SELECTION_141:
- TargetObject: '*\BootVerificationProgram\ImagePath*'
- SELECTION_142:
- Details: (Empty)
- SELECTION_15:
- TargetObject: '*\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)*'
- SELECTION_16:
- TargetObject: '*\Environment\UserInitMprLogonScript*'
- SELECTION_17:
- TargetObject: '*\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe*'
- SELECTION_18:
- TargetObject: '*\Software\Microsoft\Internet Explorer\UrlSearchHooks*'
- SELECTION_19:
- TargetObject: '*\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components*'
- SELECTION_2:
- EventID: 13
- SELECTION_20:
- TargetObject: '*\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32*'
- SELECTION_21:
- TargetObject: '*\Control Panel\Desktop\Scrnsave.exe*'
- SELECTION_22:
- TargetObject: '*\System\CurrentControlSet\Control\Session Manager*'
- SELECTION_23:
- TargetObject: '*\SetupExecute*'
- SELECTION_24:
- TargetObject: '*\S0InitialCommand*'
- SELECTION_25:
- TargetObject: '*\KnownDlls*'
- SELECTION_26:
- TargetObject: '*\Execute*'
- SELECTION_27:
- TargetObject: '*\BootExecute*'
- SELECTION_28:
- TargetObject: '*\AppCertDlls*'
- SELECTION_29:
- TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion*'
- SELECTION_3:
- EventID: 14
- SELECTION_30:
- TargetObject: '*\ShellServiceObjectDelayLoad*'
- SELECTION_31:
- TargetObject: '*\Run*'
- SELECTION_32:
- TargetObject: '*\Policies\System\Shell*'
- SELECTION_33:
- TargetObject: '*\Policies\Explorer\Run*'
- SELECTION_34:
- TargetObject: '*\Group Policy\Scripts\Startup*'
- SELECTION_35:
- TargetObject: '*\Group Policy\Scripts\Shutdown*'
- SELECTION_36:
- TargetObject: '*\Group Policy\Scripts\Logon*'
- SELECTION_37:
- TargetObject: '*\Group Policy\Scripts\Logoff*'
- SELECTION_38:
- TargetObject: '*\Explorer\ShellServiceObjects*'
- SELECTION_39:
- TargetObject: '*\Explorer\ShellIconOverlayIdentifiers*'
- SELECTION_4:
- TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart*'
- SELECTION_40:
- TargetObject: '*\Explorer\ShellExecuteHooks*'
- SELECTION_41:
- TargetObject: '*\Explorer\SharedTaskScheduler*'
- SELECTION_42:
- TargetObject: '*\Explorer\Browser Helper Objects*'
- SELECTION_43:
- TargetObject: '*\Authentication\PLAP Providers*'
- SELECTION_44:
- TargetObject: '*\Authentication\Credential Providers*'
- SELECTION_45:
- TargetObject: '*\Authentication\Credential Provider Filters*'
- SELECTION_46:
- TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion*'
- SELECTION_47:
- TargetObject: '*\Winlogon\VmApplet*'
- SELECTION_48:
- TargetObject: '*\Winlogon\Userinit*'
- SELECTION_49:
- TargetObject: '*\Winlogon\Taskman*'
- SELECTION_5:
- TargetObject: '*\Software\Wow6432Node\Microsoft\Command Processor\Autorun*'
- SELECTION_50:
- TargetObject: '*\Winlogon\Shell*'
- SELECTION_51:
- TargetObject: '*\Winlogon\GpExtensions*'
- SELECTION_52:
- TargetObject: '*\Winlogon\AppSetup*'
- SELECTION_53:
- TargetObject: '*\Winlogon\AlternateShells\AvailableShells*'
- SELECTION_54:
- TargetObject: '*\Windows\IconServiceLib*'
- SELECTION_55:
- TargetObject: '*\Windows\Appinit_Dlls*'
- SELECTION_56:
- TargetObject: '*\Image File Execution Options*'
- SELECTION_57:
- TargetObject: '*\Font Drivers*'
- SELECTION_58:
- TargetObject: '*\Drivers32*'
- SELECTION_59:
- TargetObject: '*\Windows\Run*'
- SELECTION_6:
- TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components*'
- SELECTION_60:
- TargetObject: '*\Windows\Load*'
- SELECTION_61:
- TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion*'
- SELECTION_62:
- TargetObject: '*\ShellServiceObjectDelayLoad*'
- SELECTION_63:
- TargetObject: '*\Run*'
- SELECTION_64:
- TargetObject: '*\Explorer\ShellServiceObjects*'
- SELECTION_65:
- TargetObject: '*\Explorer\ShellIconOverlayIdentifiers*'
- SELECTION_66:
- TargetObject: '*\Explorer\ShellExecuteHooks*'
- SELECTION_67:
- TargetObject: '*\Explorer\SharedTaskScheduler*'
- SELECTION_68:
- TargetObject: '*\Explorer\Browser Helper Objects*'
- SELECTION_69:
- TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion*'
- SELECTION_7:
- TargetObject: '*\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect*'
- SELECTION_70:
- TargetObject: '*\Windows\Appinit_Dlls*'
- SELECTION_71:
- TargetObject: '*\Image File Execution Options*'
- SELECTION_72:
- TargetObject: '*\Drivers32*'
- SELECTION_73:
- EventID: 12
- SELECTION_74:
- EventID: 13
- SELECTION_75:
- EventID: 14
- SELECTION_76:
- TargetObject: '*\Software\Wow6432Node\Microsoft\Office*'
- SELECTION_77:
- TargetObject: '*\Software\Microsoft\Office*'
- SELECTION_78:
- TargetObject: '*\Word\Addins*'
- SELECTION_79:
- TargetObject: '*\PowerPoint\Addins*'
- SELECTION_8:
- TargetObject: '*\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect*'
- SELECTION_80:
- TargetObject: '*\Outlook\Addins*'
- SELECTION_81:
- TargetObject: '*\Onenote\Addins*'
- SELECTION_82:
- TargetObject: '*\Excel\Addins*'
- SELECTION_83:
- TargetObject: '*\Access\Addins*'
- SELECTION_84:
- TargetObject: '*test\Special\Perf*'
- SELECTION_85:
- EventID: 12
- SELECTION_86:
- EventID: 13
- SELECTION_87:
- EventID: 14
- SELECTION_88:
- TargetObject: '*\Software\Wow6432Node\Microsoft\Internet Explorer*'
- SELECTION_89:
- TargetObject: '*\Software\Microsoft\Internet Explorer*'
- SELECTION_9:
- TargetObject: '*\SYSTEM\Setup\CmdLine*'
- SELECTION_90:
- TargetObject: '*\Toolbar*'
- SELECTION_91:
- TargetObject: '*\Extensions*'
- SELECTION_92:
- TargetObject: '*\Explorer Bars*'
- SELECTION_93:
- TargetObject: '*\Software\Wow6432Node\Classes*'
- SELECTION_94:
- TargetObject: '*\Folder\ShellEx\ExtShellFolderViews*'
- SELECTION_95:
- TargetObject: '*\Folder\ShellEx\DragDropHandlers*'
- SELECTION_96:
- TargetObject: '*\Folder\ShellEx\ColumnHandlers*'
- SELECTION_97:
- TargetObject: '*\Directory\Shellex\DragDropHandlers*'
- SELECTION_98:
- TargetObject: '*\Directory\Shellex\CopyHookHandlers*'
- SELECTION_99:
- TargetObject: '*\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (((((((((((((SELECTION_4
- or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
- or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
- or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
- or SELECTION_20 or SELECTION_21) or (SELECTION_22 and (SELECTION_23 or SELECTION_24
- or SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28))) or (SELECTION_29
- and (SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34
- or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39
- or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44
- or SELECTION_45))) or (SELECTION_46 and (SELECTION_47 or SELECTION_48 or SELECTION_49
- or SELECTION_50 or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54
- or SELECTION_55 or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59
- or SELECTION_60))) or (SELECTION_61 and (SELECTION_62 or SELECTION_63 or SELECTION_64
- or SELECTION_65 or SELECTION_66 or SELECTION_67 or SELECTION_68))) or (SELECTION_69
- and (SELECTION_70 or SELECTION_71 or SELECTION_72))) or ((SELECTION_73 or
- SELECTION_74 or SELECTION_75) and (SELECTION_76 or SELECTION_77) and (SELECTION_78
- or SELECTION_79 or SELECTION_80 or SELECTION_81 or SELECTION_82 or SELECTION_83
- or SELECTION_84))) or ((SELECTION_85 or SELECTION_86 or SELECTION_87) and
- (SELECTION_88 or SELECTION_89) and (SELECTION_90 or SELECTION_91 or SELECTION_92)))
- or (SELECTION_93 and (SELECTION_94 or SELECTION_95 or SELECTION_96 or SELECTION_97
- or SELECTION_98 or SELECTION_99 or SELECTION_100 or SELECTION_101 or SELECTION_102
- or SELECTION_103 or SELECTION_104 or SELECTION_105))) or (SELECTION_106 and
- (SELECTION_107 or SELECTION_108 or SELECTION_109 or SELECTION_110 or SELECTION_111
- or SELECTION_112 or SELECTION_113 or SELECTION_114 or SELECTION_115 or SELECTION_116
- or SELECTION_117 or SELECTION_118 or SELECTION_119 or SELECTION_120 or SELECTION_121
- or SELECTION_122))) or (SELECTION_123 and (SELECTION_124 or SELECTION_125
- or SELECTION_126 or SELECTION_127))) or (SELECTION_128 and (SELECTION_129
- or SELECTION_130))) or ((SELECTION_131 and (SELECTION_132 or SELECTION_133
- or SELECTION_134 or SELECTION_135 or SELECTION_136 or SELECTION_137 or SELECTION_138
- or SELECTION_139 or SELECTION_140 or SELECTION_141)) and not (SELECTION_142))))
-falsepositives:
-- Legitimate software automatically (mostly, during installation) sets up autorun
- keys for legitimate reason
-- Legitimate administrator sets up autorun keys for legitimate reason
-fields:
-- SecurityID
-- ObjectName
-- OldValueType
-- NewValueType
-id: 17f878b8-9968-4578-b814-c4217fc5768c
-level: medium
-logsource:
- category: registry_event
- product: windows
-modified: 2021/11/11
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
-- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
-- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
-status: experimental
-tags:
-- attack.persistence
-- attack.t1547.001
-- attack.t1060
-yml_filename: sysmon_asep_reg_keys_modification.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml b/rules/alert-rules/sigma/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
deleted file mode 100644
index 55f087cf..00000000
--- a/rules/alert-rules/sigma/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: Atlassian Confluence CVE-2021-26084
-author: Bhabesh Raj
-date: 2021/09/08
-description: Detects spawning of suspicious child processes by Atlassian Confluence
- server which may indicate successful exploitation of CVE-2021-26084
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*\Atlassian\Confluence\jre\bin\java.exe'
- SELECTION_3:
- CommandLine: '*cmd /c*'
- SELECTION_4:
- CommandLine: '*cmd /k*'
- SELECTION_5:
- CommandLine: '*powershell*'
- SELECTION_6:
- CommandLine: '*certutil*'
- SELECTION_7:
- CommandLine: '*curl*'
- SELECTION_8:
- CommandLine: '*whoami*'
- SELECTION_9:
- CommandLine: '*ipconfig*'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
-falsepositives:
-- Unknown
-id: 245f92e3-c4da-45f1-9070-bc552e06db11
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
-- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
-- https://github.com/h3v0x/CVE-2021-26084_Confluence
-status: experimental
-tags:
-- attack.initial_access
-- attack.execution
-- attack.t1190
-- attack.t1059
-yml_filename: sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_bypass_via_wsreset.yml b/rules/alert-rules/sigma/sysmon_bypass_via_wsreset.yml
deleted file mode 100644
index e7e4c995..00000000
--- a/rules/alert-rules/sigma/sysmon_bypass_via_wsreset.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: UAC Bypass Via Wsreset
-author: oscd.community, Dmitry Uchakin
-date: 2020/10/07
-description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated
- with the Windows Store. It will run a binary file contained in a low-privilege
- registry.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4))
-falsepositives:
-- unknown
-fields:
-- ComputerName
-- Image
-- EventType
-- TargetObject
-id: 6ea3bf32-9680-422d-9f50-e90716b12a66
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
-- https://lolbas-project.github.io/lolbas/Binaries/Wsreset
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: sysmon_bypass_via_wsreset.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_cactustorch.yml b/rules/alert-rules/sigma/sysmon_cactustorch.yml
deleted file mode 100644
index b7865606..00000000
--- a/rules/alert-rules/sigma/sysmon_cactustorch.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-title: CACTUSTORCH Remote Thread Creation
-author: '@SBousseaden (detection), Thomas Patzke (rule)'
-date: 2019/02/01
-description: Detects remote thread creation from CACTUSTORCH as described in references.
-detection:
- SELECTION_1:
- EventID: 8
- SELECTION_2:
- SourceImage: '*\System32\cscript.exe'
- SELECTION_3:
- SourceImage: '*\System32\wscript.exe'
- SELECTION_4:
- SourceImage: '*\System32\mshta.exe'
- SELECTION_5:
- SourceImage: '*\winword.exe'
- SELECTION_6:
- SourceImage: '*\excel.exe'
- SELECTION_7:
- TargetImage: '*\SysWOW64\\*'
- SELECTION_8:
- StartModule|re: ^$
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6) and SELECTION_7 and SELECTION_8)
-falsepositives:
-- unknown
-id: 2e4e488a-6164-4811-9ea1-f960c7359c40
-level: high
-logsource:
- category: create_remote_thread
- product: windows
-modified: 2021/11/12
-references:
-- https://twitter.com/SBousseaden/status/1090588499517079552
-- https://github.com/mdsecactivebreach/CACTUSTORCH
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1093
-- attack.t1055.012
-- attack.execution
-- attack.t1064
-- attack.t1059.005
-- attack.t1059.007
-- attack.t1218.005
-yml_filename: sysmon_cactustorch.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
-
diff --git a/rules/alert-rules/sigma/sysmon_cmstp_execution_by_access.yml b/rules/alert-rules/sigma/sysmon_cmstp_execution_by_access.yml
deleted file mode 100644
index 16470042..00000000
--- a/rules/alert-rules/sigma/sysmon_cmstp_execution_by_access.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: CMSTP Execution Process Access
-author: Nik Seetharaman
-date: 2018/07/16
-description: Detects various indicators of Microsoft Connection Manager Profile Installer
- execution
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- CallTrace: '*cmlua.dll*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Legitimate CMSTP use (unlikely in modern enterprise environments)
-fields:
-- CommandLine
-- ParentCommandLine
-- Details
-id: 3b4b232a-af90-427c-a22f-30b0c0837b95
-level: high
-logsource:
- category: process_access
- product: windows
-modified: 2021/06/27
-references:
-- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
-status: stable
-tags:
-- attack.defense_evasion
-- attack.t1218.003
-- attack.t1191
-- attack.execution
-- attack.t1559.001
-- attack.t1175
-- attack.g0069
-- attack.g0080
-- car.2019-04-001
-yml_filename: sysmon_cmstp_execution_by_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_cmstp_execution_by_creation.yml b/rules/alert-rules/sigma/sysmon_cmstp_execution_by_creation.yml
deleted file mode 100644
index b4432db1..00000000
--- a/rules/alert-rules/sigma/sysmon_cmstp_execution_by_creation.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: CMSTP Execution Process Creation
-author: Nik Seetharaman
-date: 2018/07/16
-description: Detects various indicators of Microsoft Connection Manager Profile Installer
- execution
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*\cmstp.exe'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Legitimate CMSTP use (unlikely in modern enterprise environments)
-fields:
-- CommandLine
-- ParentCommandLine
-- Details
-id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2020/12/23
-references:
-- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
-status: stable
-tags:
-- attack.defense_evasion
-- attack.execution
-- attack.t1191
-- attack.t1218.003
-- attack.g0069
-- car.2019-04-001
-yml_filename: sysmon_cmstp_execution_by_creation.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_cmstp_execution_by_registry.yml b/rules/alert-rules/sigma/sysmon_cmstp_execution_by_registry.yml
deleted file mode 100644
index 2c4ae592..00000000
--- a/rules/alert-rules/sigma/sysmon_cmstp_execution_by_registry.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: CMSTP Execution Registry Event
-author: Nik Seetharaman
-date: 2018/07/16
-description: Detects various indicators of Microsoft Connection Manager Profile Installer
- execution
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\cmmgr32.exe*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- Legitimate CMSTP use (unlikely in modern enterprise environments)
-fields:
-- CommandLine
-- ParentCommandLine
-- Details
-id: b6d235fc-1d38-4b12-adbe-325f06728f37
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2020/12/23
-references:
-- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
-status: stable
-tags:
-- attack.defense_evasion
-- attack.execution
-- attack.t1191
-- attack.t1218.003
-- attack.g0069
-- car.2019-04-001
-yml_filename: sysmon_cmstp_execution_by_registry.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_cobaltstrike_bof_injection_pattern.yml b/rules/alert-rules/sigma/sysmon_cobaltstrike_bof_injection_pattern.yml
deleted file mode 100644
index c51ce71e..00000000
--- a/rules/alert-rules/sigma/sysmon_cobaltstrike_bof_injection_pattern.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: CobaltStrike BOF Injection Pattern
-author: Christian Burkard
-date: 2021/08/04
-description: Detects a typical pattern of a CobaltStrike BOF which inject into other
- processes
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- CallTrace|re: ^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\+[a-z0-9]{4,6}\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$
- SELECTION_3:
- GrantedAccess: '0x1028'
- SELECTION_4:
- GrantedAccess: '0x1fffff'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- unknown
-id: 09706624-b7f6-455d-9d02-adee024cee1d
-level: high
-logsource:
- category: process_access
- product: windows
-references:
-- https://github.com/boku7/injectAmsiBypass
-- https://github.com/boku7/spawn
-status: experimental
-tags:
-- attack.execution
-- attack.t1106
-- attack.defense_evasion
-- attack.t1562.001
-yml_filename: sysmon_cobaltstrike_bof_injection_pattern.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_cobaltstrike_process_injection.yml b/rules/alert-rules/sigma/sysmon_cobaltstrike_process_injection.yml
deleted file mode 100644
index 6132b798..00000000
--- a/rules/alert-rules/sigma/sysmon_cobaltstrike_process_injection.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: CobaltStrike Process Injection
-author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
-date: 2018/11/30
-description: Detects a possible remote threat creation with certain characteristics
- which are typical for Cobalt Strike beacons
-detection:
- SELECTION_1:
- EventID: 8
- SELECTION_2:
- TargetProcessAddress: '*0B80'
- SELECTION_3:
- TargetProcessAddress: '*0C7C'
- SELECTION_4:
- TargetProcessAddress: '*0C88'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
-falsepositives:
-- unknown
-id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
-level: high
-logsource:
- category: create_remote_thread
- product: windows
-modified: 2020/08/28
-references:
-- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
-- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1055
-- attack.t1055.001
-yml_filename: sysmon_cobaltstrike_process_injection.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
-
diff --git a/rules/alert-rules/sigma/sysmon_cobaltstrike_service_installs.yml b/rules/alert-rules/sigma/sysmon_cobaltstrike_service_installs.yml
deleted file mode 100644
index 2ffff381..00000000
--- a/rules/alert-rules/sigma/sysmon_cobaltstrike_service_installs.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-title: CobaltStrike Service Installations in Registry
-author: Wojciech Lesicki
-date: 2021/06/29
-description: Detects known malicious service installs that appear in cases in which
- a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch
- this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)
- In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services
- or HKLM\System\ControlSet002\Services, however, this rule is based on a regular
- sysmon's events.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- Details: '*powershell*'
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: SetValue
- SELECTION_5:
- TargetObject: '*HKLM\System\CurrentControlSet\Services*'
- SELECTION_6:
- Details: '*ADMIN$*'
- SELECTION_7:
- Details: '*.exe*'
- SELECTION_8:
- Details: '*%COMSPEC%*'
- SELECTION_9:
- Details: '*start*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and ((SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)))
-falsepositives:
-- unknown
-id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
-level: critical
-logsource:
- category: registry_event
- product: windows
-references:
-- https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
-status: experimental
-tags:
-- attack.execution
-- attack.privilege_escalation
-- attack.lateral_movement
-- attack.t1021.002
-- attack.t1543.003
-- attack.t1569.002
-yml_filename: sysmon_cobaltstrike_service_installs.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_comhijack_sdclt.yml b/rules/alert-rules/sigma/sysmon_comhijack_sdclt.yml
deleted file mode 100644
index f3e42962..00000000
--- a/rules/alert-rules/sigma/sysmon_comhijack_sdclt.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: COM Hijack via Sdclt
-author: Omkar Gudhate
-date: 2020/09/27
-description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4))
-falsepositives:
-- unknown
-id: 07743f65-7ec9-404a-a519-913db7118a8d
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
-- https://www.exploit-db.com/exploits/47696
-status: experimental
-tags:
-- attack.privilege_escalation
-- attack.t1546
-- attack.t1548
-yml_filename: sysmon_comhijack_sdclt.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_config_modification_error.yml b/rules/alert-rules/sigma/sysmon_config_modification_error.yml
deleted file mode 100644
index 333d9582..00000000
--- a/rules/alert-rules/sigma/sysmon_config_modification_error.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Sysmon Configuration Error
-author: frack113
-date: 2021/06/04
-description: Someone try to hide from Sysmon
-detection:
- SELECTION_1:
- EventID: 255
- SELECTION_2:
- Description: '*Failed to open service configuration with error*'
- SELECTION_3:
- Description: '*Failed to connect to the driver to update configuration*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- legitimate administrative action
-id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
-level: high
-logsource:
- category: sysmon_error
- product: windows
-modified: 2021/09/07
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
-- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1564
-yml_filename: sysmon_config_modification_error.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/sysmon
-
diff --git a/rules/alert-rules/sigma/sysmon_config_modification_status.yml b/rules/alert-rules/sigma/sysmon_config_modification_status.yml
deleted file mode 100644
index 7358bae7..00000000
--- a/rules/alert-rules/sigma/sysmon_config_modification_status.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Sysmon Configuration Modification
-author: frack113
-date: 2021/06/04
-description: Someone try to hide from Sysmon
-detection:
- SELECTION_1:
- EventID: 4
- SELECTION_2:
- EventID: 16
- SELECTION_3:
- State: Stopped
- condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or Sysmon config state
- changed))
-falsepositives:
-- legitimate administrative action
-id: 1f2b5353-573f-4880-8e33-7d04dcf97744
-level: high
-logsource:
- category: sysmon_status
- product: windows
-modified: 2021/09/07
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
-- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1564
-yml_filename: sysmon_config_modification_status.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/sysmon
-
diff --git a/rules/alert-rules/sigma/sysmon_createremotethread_loadlibrary.yml b/rules/alert-rules/sigma/sysmon_createremotethread_loadlibrary.yml
deleted file mode 100644
index 0471f3fd..00000000
--- a/rules/alert-rules/sigma/sysmon_createremotethread_loadlibrary.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: CreateRemoteThread API and LoadLibrary
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/08/11
-description: Detects potential use of CreateRemoteThread api and LoadLibrary function
- to inject DLL into a process
-detection:
- SELECTION_1:
- EventID: 8
- SELECTION_2:
- StartModule: '*\kernel32.dll'
- SELECTION_3:
- StartFunction: LoadLibraryA
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 052ec6f6-1adc-41e6-907a-f1c813478bee
-level: critical
-logsource:
- category: create_remote_thread
- product: windows
-modified: 2020/08/28
-references:
-- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1055
-- attack.t1055.001
-yml_filename: sysmon_createremotethread_loadlibrary.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
-
diff --git a/rules/alert-rules/sigma/sysmon_creation_mavinject_dll.yml b/rules/alert-rules/sigma/sysmon_creation_mavinject_dll.yml
deleted file mode 100644
index 901fae11..00000000
--- a/rules/alert-rules/sigma/sysmon_creation_mavinject_dll.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Mavinject Inject DLL Into Running Process
-author: frack113
-date: 2021/07/12
-description: Injects arbitrary DLL into running process specified by process ID. Requires
- Windows 10.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '* /INJECTRUNNING*'
- SELECTION_3:
- CommandLine: '*.dll*'
- SELECTION_4:
- OriginalFileName: '*mavinject*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.collection
-- attack.t1218
-- attack.t1056.004
-yml_filename: sysmon_creation_mavinject_dll.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_creation_system_file.yml b/rules/alert-rules/sigma/sysmon_creation_system_file.yml
deleted file mode 100644
index 04bebbb5..00000000
--- a/rules/alert-rules/sigma/sysmon_creation_system_file.yml
+++ /dev/null
@@ -1,102 +0,0 @@
-title: File Created with System Process Name
-author: Sander Wiebing
-date: 2020/05/26
-description: Detects the creation of an executable with a system process name in a
- suspicious folder
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_10:
- TargetFilename: '*\csrss.exe'
- SELECTION_11:
- TargetFilename: '*\conhost.exe'
- SELECTION_12:
- TargetFilename: '*\wininit.exe'
- SELECTION_13:
- TargetFilename: '*\lsm.exe'
- SELECTION_14:
- TargetFilename: '*\winlogon.exe'
- SELECTION_15:
- TargetFilename: '*\explorer.exe'
- SELECTION_16:
- TargetFilename: '*\taskhost.exe'
- SELECTION_17:
- TargetFilename: '*\Taskmgr.exe'
- SELECTION_18:
- TargetFilename: '*\taskmgr.exe'
- SELECTION_19:
- TargetFilename: '*\sihost.exe'
- SELECTION_2:
- TargetFilename: '*\svchost.exe'
- SELECTION_20:
- TargetFilename: '*\RuntimeBroker.exe'
- SELECTION_21:
- TargetFilename: '*\runtimebroker.exe'
- SELECTION_22:
- TargetFilename: '*\smartscreen.exe'
- SELECTION_23:
- TargetFilename: '*\dllhost.exe'
- SELECTION_24:
- TargetFilename: '*\audiodg.exe'
- SELECTION_25:
- TargetFilename: '*\wlanext.exe'
- SELECTION_26:
- TargetFilename: C:\Windows\System32\\*
- SELECTION_27:
- TargetFilename: C:\Windows\system32\\*
- SELECTION_28:
- TargetFilename: C:\Windows\SysWow64\\*
- SELECTION_29:
- TargetFilename: C:\Windows\SysWOW64\\*
- SELECTION_3:
- TargetFilename: '*\rundll32.exe'
- SELECTION_30:
- TargetFilename: C:\Windows\winsxs\\*
- SELECTION_31:
- TargetFilename: C:\Windows\WinSxS\\*
- SELECTION_32:
- TargetFilename: \SystemRoot\System32\\*
- SELECTION_33:
- Image: '*\Windows\System32\dism.exe'
- SELECTION_34:
- TargetFilename: C:\$WINDOWS.~BT\\*
- SELECTION_35:
- Image: C:\$WINDOWS.~BT\Sources\SetupHost.exe
- SELECTION_4:
- TargetFilename: '*\services.exe'
- SELECTION_5:
- TargetFilename: '*\powershell.exe'
- SELECTION_6:
- TargetFilename: '*\regsvr32.exe'
- SELECTION_7:
- TargetFilename: '*\spoolsv.exe'
- SELECTION_8:
- TargetFilename: '*\lsass.exe'
- SELECTION_9:
- TargetFilename: '*\smss.exe'
- condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25)
- and not ((SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or
- SELECTION_30 or SELECTION_31 or SELECTION_32) and SELECTION_33)) and not
- (SELECTION_34 and SELECTION_35))
-falsepositives:
-- System processes copied outside the default folder
-fields:
-- Image
-id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2021/10/28
-status: test
-tags:
-- attack.defense_evasion
-- attack.t1036
-- attack.t1036.005
-yml_filename: sysmon_creation_system_file.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_cred_dump_lsass_access.yml b/rules/alert-rules/sigma/sysmon_cred_dump_lsass_access.yml
deleted file mode 100644
index 6370bb80..00000000
--- a/rules/alert-rules/sigma/sysmon_cred_dump_lsass_access.yml
+++ /dev/null
@@ -1,89 +0,0 @@
-title: Credentials Dumping Tools Accessing LSASS Memory
-author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas
- Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
- oscd.community (update)
-date: 2017/02/16
-description: Detects process access LSASS memory which is typical for credentials
- dumping tools
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_10:
- GrantedAccess: '*0x143a*'
- SELECTION_11:
- GrantedAccess: '*0x1418*'
- SELECTION_12:
- GrantedAccess: '*0x1f0fff*'
- SELECTION_13:
- GrantedAccess: '*0x1f1fff*'
- SELECTION_14:
- GrantedAccess: '*0x1f2fff*'
- SELECTION_15:
- GrantedAccess: '*0x1f3fff*'
- SELECTION_16:
- SourceImage: '*\wmiprvse.exe'
- SELECTION_17:
- SourceImage: '*\taskmgr.exe'
- SELECTION_18:
- SourceImage: '*\procexp64.exe'
- SELECTION_19:
- SourceImage: '*\procexp.exe'
- SELECTION_2:
- TargetImage: '*\lsass.exe'
- SELECTION_20:
- SourceImage: '*\lsm.exe'
- SELECTION_21:
- SourceImage: '*\MsMpEng.exe'
- SELECTION_22:
- SourceImage: '*\csrss.exe'
- SELECTION_23:
- SourceImage: '*\wininit.exe'
- SELECTION_24:
- SourceImage: '*\vmtoolsd.exe'
- SELECTION_3:
- GrantedAccess: '*0x40*'
- SELECTION_4:
- GrantedAccess: '*0x1000*'
- SELECTION_5:
- GrantedAccess: '*0x1400*'
- SELECTION_6:
- GrantedAccess: '*0x100000*'
- SELECTION_7:
- GrantedAccess: '*0x1410*'
- SELECTION_8:
- GrantedAccess: '*0x1010*'
- SELECTION_9:
- GrantedAccess: '*0x1438*'
- condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15))
- and not ((SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or
- SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24)))
-falsepositives:
-- Legitimate software accessing LSASS process for legitimate reason; update the whitelist
- with it
-fields:
-- ComputerName
-- User
-- SourceImage
-id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
-level: high
-logsource:
- category: process_access
- product: windows
-modified: 2021/10/20
-references:
-- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
-- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
-- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003.001
-- attack.t1003
-- attack.s0002
-- car.2019-04-004
-yml_filename: sysmon_cred_dump_lsass_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_cred_dump_tools_dropped_files.yml b/rules/alert-rules/sigma/sysmon_cred_dump_tools_dropped_files.yml
deleted file mode 100644
index 64481cf5..00000000
--- a/rules/alert-rules/sigma/sysmon_cred_dump_tools_dropped_files.yml
+++ /dev/null
@@ -1,83 +0,0 @@
-title: Cred Dump Tools Dropped Files
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/11/01
-description: Files with well-known filenames (parts of credential dump software or
- files produced by them) creation
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_10:
- TargetFilename: '*\lsremora.dll'
- SELECTION_11:
- TargetFilename: '*\fgexec.exe'
- SELECTION_12:
- TargetFilename: '*\wceaux.dll'
- SELECTION_13:
- TargetFilename: '*\SAM.out'
- SELECTION_14:
- TargetFilename: '*\SECURITY.out'
- SELECTION_15:
- TargetFilename: '*\SYSTEM.out'
- SELECTION_16:
- TargetFilename: '*\NTDS.out'
- SELECTION_17:
- TargetFilename: '*\DumpExt.dll'
- SELECTION_18:
- TargetFilename: '*\DumpSvc.exe'
- SELECTION_19:
- TargetFilename: '*\cachedump64.exe'
- SELECTION_2:
- TargetFilename: '*\pwdump*'
- SELECTION_20:
- TargetFilename: '*\cachedump.exe'
- SELECTION_21:
- TargetFilename: '*\pstgdump.exe'
- SELECTION_22:
- TargetFilename: '*\servpw.exe'
- SELECTION_23:
- TargetFilename: '*\servpw64.exe'
- SELECTION_24:
- TargetFilename: '*\pwdump.exe'
- SELECTION_25:
- TargetFilename: '*\procdump64.exe'
- SELECTION_3:
- TargetFilename: '*\kirbi*'
- SELECTION_4:
- TargetFilename: '*\pwhashes*'
- SELECTION_5:
- TargetFilename: '*\wce_ccache*'
- SELECTION_6:
- TargetFilename: '*\wce_krbtkts*'
- SELECTION_7:
- TargetFilename: '*\fgdump-log*'
- SELECTION_8:
- TargetFilename: '*\test.pwd'
- SELECTION_9:
- TargetFilename: '*\lsremora64.dll'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7) and (SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25))
-falsepositives:
-- Legitimate Administrator using tool for password recovery
-id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2020/08/23
-references:
-- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.001
-- attack.t1003.002
-- attack.t1003.003
-- attack.t1003.004
-- attack.t1003.005
-yml_filename: sysmon_cred_dump_tools_dropped_files.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_cred_dump_tools_named_pipes.yml b/rules/alert-rules/sigma/sysmon_cred_dump_tools_named_pipes.yml
deleted file mode 100644
index da76ee62..00000000
--- a/rules/alert-rules/sigma/sysmon_cred_dump_tools_named_pipes.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: Cred Dump-Tools Named Pipes
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/11/01
-description: Detects well-known credential dumping tools execution via specific named
- pipes
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_2:
- EventID: 18
- SELECTION_3:
- PipeName: '*\lsadump*'
- SELECTION_4:
- PipeName: '*\cachedump*'
- SELECTION_5:
- PipeName: '*\wceservicepipe*'
- condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5))
-falsepositives:
-- Legitimate Administrator using tool for password recovery
-id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
-level: critical
-logsource:
- category: pipe_created
- definition: Note that you have to configure logging for Named Pipe Events in Sysmon
- config (Event ID 17 and Event ID 18). The basic configuration is in popular
- sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
- it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
- https://github.com/olafhartong/sysmon-modular. How to test detection? You
- can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- product: windows
-modified: 2020/08/28
-references:
-- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.001
-- attack.t1003.002
-- attack.t1003.004
-- attack.t1003.005
-yml_filename: sysmon_cred_dump_tools_named_pipes.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/sysmon_cve_2020_1048.yml b/rules/alert-rules/sigma/sysmon_cve_2020_1048.yml
deleted file mode 100644
index 36b1b5e7..00000000
--- a/rules/alert-rules/sigma/sysmon_cve_2020_1048.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Suspicious New Printer Ports in Registry (CVE-2020-1048)
-author: EagleEye Team, Florian Roth, NVISO
-date: 2020/05/13
-description: Detects a new and suspicious printer port creation in Registry that could
- be an attempt to exploit CVE-2020-1048
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports*
- SELECTION_5:
- Details: '*.dll*'
- SELECTION_6:
- Details: '*.exe*'
- SELECTION_7:
- Details: '*.bat*'
- SELECTION_8:
- Details: '*.com*'
- SELECTION_9:
- Details: '*C:*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
-falsepositives:
-- New printer port install on host
-id: 7ec912f2-5175-4868-b811-ec13ad0f8567
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2020/09/06
-references:
-- https://windows-internals.com/printdemon-cve-2020-1048/
-status: experimental
-tags:
-- attack.persistence
-- attack.execution
-- attack.defense_evasion
-- attack.t1112
-yml_filename: sysmon_cve_2020_1048.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_cve_2021_26857_msexchange.yml b/rules/alert-rules/sigma/sysmon_cve_2021_26857_msexchange.yml
deleted file mode 100644
index 5e4e867b..00000000
--- a/rules/alert-rules/sigma/sysmon_cve_2021_26857_msexchange.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: CVE-2021-26857 Exchange Exploitation
-author: Bhabesh Raj
-date: 2021/03/03
-description: "Detects possible successful exploitation for vulnerability described\
- \ in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange\
- \ Server\u2019s Unified Messaging service"
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*UMWorkerProcess.exe'
- SELECTION_3:
- Image: '*wermgr.exe'
- SELECTION_4:
- Image: '*WerFault.exe'
- condition: (SELECTION_1 and SELECTION_2 and not ((SELECTION_3 or SELECTION_4)))
-falsepositives:
-- Unknown
-id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
-status: experimental
-tags:
-- attack.t1203
-- attack.execution
-- cve.2021.26857
-yml_filename: sysmon_cve_2021_26857_msexchange.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_cve_2021_26858_msexchange.yml b/rules/alert-rules/sigma/sysmon_cve_2021_26858_msexchange.yml
deleted file mode 100644
index b53de3d5..00000000
--- a/rules/alert-rules/sigma/sysmon_cve_2021_26858_msexchange.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: CVE-2021-26858 Exchange Exploitation
-author: Bhabesh Raj
-date: 2021/03/03
-description: "Detects possible successful exploitation for vulnerability described\
- \ in CVE-2021-26858 by looking for | creation of non-standard files on disk by\
- \ Exchange Server\u2019s Unified Messaging service | which could indicate dropping\
- \ web shells or other malicious content"
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- Image: '*UMWorkerProcess.exe'
- SELECTION_3:
- TargetFilename: '*CacheCleanup.bin'
- SELECTION_4:
- TargetFilename: '*.txt'
- SELECTION_5:
- TargetFilename: '*.LOG'
- SELECTION_6:
- TargetFilename: '*.cfg'
- SELECTION_7:
- TargetFilename: '*cleanup.bin'
- condition: (SELECTION_1 and SELECTION_2 and not ((SELECTION_3 or SELECTION_4
- or SELECTION_5 or SELECTION_6 or SELECTION_7)))
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- TargetFilename
-id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
-level: critical
-logsource:
- category: file_event
- product: windows
-references:
-- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
-status: experimental
-tags:
-- attack.t1203
-- attack.execution
-- cve.2021.26858
-yml_filename: sysmon_cve_2021_26858_msexchange.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_dcom_iertutil_dll_hijack.yml b/rules/alert-rules/sigma/sysmon_dcom_iertutil_dll_hijack.yml
deleted file mode 100644
index 41f8177e..00000000
--- a/rules/alert-rules/sigma/sysmon_dcom_iertutil_dll_hijack.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
-author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
-date: 2020/10/12
-description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program
- Files\Internet Explorer\` directory over the network and loading it for a DCOM
- InternetExplorer DLL Hijack scenario.
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- Image: System
- SELECTION_3:
- TargetFilename: '*\Internet Explorer\iertutil.dll'
- SELECTION_4:
- EventID: 7
- SELECTION_5:
- Image: '*\Internet Explorer\iexplore.exe'
- SELECTION_6:
- ImageLoaded: '*\Internet Explorer\iertutil.dll'
- condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) or (SELECTION_4 and
- SELECTION_5 and SELECTION_6))
-falsepositives:
-- Unknown
-id: e554f142-5cf3-4e55-ace9-a1b59e0def65
-level: critical
-logsource:
- product: windows
- service: sysmon
-modified: 2021/06/27
-references:
-- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
-status: experimental
-tags:
-- attack.lateral_movement
-- attack.t1021.002
-- attack.t1021.003
-yml_filename: sysmon_dcom_iertutil_dll_hijack.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/sysmon
-
diff --git a/rules/alert-rules/sigma/sysmon_delete_prefetch.yml b/rules/alert-rules/sigma/sysmon_delete_prefetch.yml
deleted file mode 100644
index 6c7876fb..00000000
--- a/rules/alert-rules/sigma/sysmon_delete_prefetch.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Prefetch File Deletion
-author: Cedric MAURUGEON
-date: 2021/09/29
-description: Detects the deletion of a prefetch file (AntiForensic)
-detection:
- SELECTION_1:
- EventID: 23
- SELECTION_2:
- EventID: 26
- SELECTION_3:
- TargetFilename: C:\Windows\Prefetch\\*
- SELECTION_4:
- TargetFilename: '*.pf'
- SELECTION_5:
- Image: C:\windows\system32\svchost.exe
- SELECTION_6:
- User: NT AUTHORITY\SYSTEM
- condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 and SELECTION_4) and not
- (SELECTION_5 and SELECTION_6))
-falsepositives:
-- Unknown
-id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
-level: high
-logsource:
- category: file_delete
- product: windows
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1070.004
-yml_filename: sysmon_delete_prefetch.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_delete
-
diff --git a/rules/alert-rules/sigma/sysmon_detect_powerup_dllhijacking.yml b/rules/alert-rules/sigma/sysmon_detect_powerup_dllhijacking.yml
deleted file mode 100644
index 04768f72..00000000
--- a/rules/alert-rules/sigma/sysmon_detect_powerup_dllhijacking.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Powerup Write Hijack DLL
-author: Subhash Popuri (@pbssubhash)
-date: 2021/08/21
-description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege
- escalation. In it's default mode, it builds a self deleting .bat file which executes
- malicious command. The detection rule relies on creation of the malicious bat
- file (debug.bat by default).
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- Image: '*\powershell.exe'
- SELECTION_3:
- TargetFilename: '*.bat'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Pentest
-- Any powershell script that creates bat files
-id: 602a1f13-c640-4d73-b053-be9a2fa58b96
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
-status: experimental
-tags:
-- attack.persistence
-- attack.privilege_escalation
-- attack.defense_evasion
-- attack.t1574.001
-yml_filename: sysmon_detect_powerup_dllhijacking.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_dhcp_calloutdll.yml b/rules/alert-rules/sigma/sysmon_dhcp_calloutdll.yml
deleted file mode 100644
index 7663965b..00000000
--- a/rules/alert-rules/sigma/sysmon_dhcp_calloutdll.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: DHCP Callout DLL Installation
-author: Dimitrios Slamaris
-date: 2017/05/15
-description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled
- parameter in Registry, which can be used to execute code in context of the DHCP
- server (restart required)
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Services\DHCPServer\Parameters\CalloutDlls'
- SELECTION_5:
- TargetObject: '*\Services\DHCPServer\Parameters\CalloutEnabled'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
-falsepositives:
-- unknown
-id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
-- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
-- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1073
-- attack.t1574.002
-- attack.t1112
-yml_filename: sysmon_dhcp_calloutdll.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_direct_syscall_ntopenprocess.yml b/rules/alert-rules/sigma/sysmon_direct_syscall_ntopenprocess.yml
deleted file mode 100644
index df5ea157..00000000
--- a/rules/alert-rules/sigma/sysmon_direct_syscall_ntopenprocess.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Direct Syscall of NtOpenProcess
-author: Christian Burkard
-date: 2021/07/28
-description: Detects the usage of the direct syscall of NtOpenProcess which might
- be done from a CobaltStrike BOF.
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- CallTrace: UNKNOWN*
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unknown
-id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
-level: critical
-logsource:
- category: process_access
- product: windows
-references:
-- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
-status: experimental
-tags:
-- attack.execution
-- attack.t1106
-yml_filename: sysmon_direct_syscall_ntopenprocess.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_disable_microsoft_office_security_features.yml b/rules/alert-rules/sigma/sysmon_disable_microsoft_office_security_features.yml
deleted file mode 100644
index 697fadaf..00000000
--- a/rules/alert-rules/sigma/sysmon_disable_microsoft_office_security_features.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: Disable Microsoft Office Security Features
-author: frack113
-date: 2021/06/08
-description: Disable Microsoft Office Security Features by registry
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- Details: DWORD (0x00000001)
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: SetValue
- SELECTION_5:
- TargetObject: '*\SOFTWARE\Microsoft\Office\\*'
- SELECTION_6:
- TargetObject: '*VBAWarnings'
- SELECTION_7:
- TargetObject: '*DisableInternetFilesInPV'
- SELECTION_8:
- TargetObject: '*DisableUnsafeLocationsInPV'
- SELECTION_9:
- TargetObject: '*DisableAttachementsInPV'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and SELECTION_10)
-falsepositives:
-- unknown
-id: 7c637634-c95d-4bbf-b26c-a82510874b34
-level: high
-logsource:
- category: registry_event
- definition: key must be add to the sysmon configuration to works
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
-- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
-- https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562.001
-yml_filename: sysmon_disable_microsoft_office_security_features.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/alert-rules/sigma/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
deleted file mode 100644
index d6948ea0..00000000
--- a/rules/alert-rules/sigma/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: Disable Security Events Logging Adding Reg Key MiniNt
-author: Ilyas Ochkov, oscd.community
-date: 2019/10/25
-description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot,
- Windows Event Log service will stopped write events.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt
- SELECTION_5:
- EventType: CreateKey
- SELECTION_6:
- NewName: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and
- SELECTION_5) or SELECTION_6))
-falsepositives:
-- Unknown
-fields:
-- EventID
-- Image
-- TargetObject
-- NewName
-id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2019/11/13
-references:
-- https://twitter.com/0gtweet/status/1182516740955226112
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1089
-- attack.t1562.001
-- attack.t1112
-yml_filename: sysmon_disable_security_events_logging_adding_reg_key_minint.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_disable_wdigest_credential_guard.yml b/rules/alert-rules/sigma/sysmon_disable_wdigest_credential_guard.yml
deleted file mode 100644
index cae4db02..00000000
--- a/rules/alert-rules/sigma/sysmon_disable_wdigest_credential_guard.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Wdigest CredGuard Registry Modification
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2019/08/25
-description: Detects potential malicious modification of the property value of IsCredGuardEnabled
- from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable
- Cred Guard on a system. This is usually used with UseLogonCredential to manipulate
- the caching credentials.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\IsCredGuardEnabled'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- Unknown
-id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
-level: critical
-logsource:
- category: registry_event
- product: windows
-references:
-- https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1112
-yml_filename: sysmon_disable_wdigest_credential_guard.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml b/rules/alert-rules/sigma/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
deleted file mode 100644
index efba522c..00000000
--- a/rules/alert-rules/sigma/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Disable Exploit Guard Network Protection on Windows Defender
-author: Austin Songer @austinsonger
-date: 2021/08/04
-description: Detects disabling Windows Defender Exploit Guard Network Protection
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: SetValue
- SELECTION_5:
- TargetObject: '*HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security
- Center\App and Browser protection\DisallowExploitProtectionOverride*'
- SELECTION_6:
- Details: DWORD (00000001)
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and SELECTION_6)
-falsepositives:
-- Unknown
-id: bf9e1387-b040-4393-9851-1598f8ecfae9
-level: medium
-logsource:
- category: registry_event
- product: windows
-references:
-- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562.001
-yml_filename: sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/alert-rules/sigma/sysmon_disabled_pua_protection_on_microsoft_defender.yml
deleted file mode 100644
index b8f6296e..00000000
--- a/rules/alert-rules/sigma/sysmon_disabled_pua_protection_on_microsoft_defender.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Disable PUA Protection on Windows Defender
-author: Austin Songer @austinsonger
-date: 2021/08/04
-description: Detects disabling Windows Defender PUA protection
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: SetValue
- SELECTION_5:
- TargetObject: '*HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection*'
- SELECTION_6:
- Details: DWORD (0x00000000)
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and SELECTION_6)
-falsepositives:
-- Unknown
-id: 8ffc5407-52e3-478f-9596-0a7371eafe13
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562.001
-yml_filename: sysmon_disabled_pua_protection_on_microsoft_defender.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_disabled_tamper_protection_on_microsoft_defender.yml b/rules/alert-rules/sigma/sysmon_disabled_tamper_protection_on_microsoft_defender.yml
deleted file mode 100644
index 5f6311c2..00000000
--- a/rules/alert-rules/sigma/sysmon_disabled_tamper_protection_on_microsoft_defender.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Disable Tamper Protection on Windows Defender
-author: Austin Songer @austinsonger
-date: 2021/08/04
-description: Detects disabling Windows Defender Tamper Protection
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: SetValue
- SELECTION_5:
- TargetObject: '*HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection*'
- SELECTION_6:
- Details: DWORD (0)
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and SELECTION_6)
-falsepositives:
-- Unknown
-id: 93d298a1-d28f-47f1-a468-d971e7796679
-level: medium
-logsource:
- category: registry_event
- product: windows
-references:
-- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562.001
-yml_filename: sysmon_disabled_tamper_protection_on_microsoft_defender.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_dllhost_net_connections.yml b/rules/alert-rules/sigma/sysmon_dllhost_net_connections.yml
deleted file mode 100644
index 9e8b3a13..00000000
--- a/rules/alert-rules/sigma/sysmon_dllhost_net_connections.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-title: Dllhost Internet Connection
-author: bartblaze
-date: 2020/07/13
-description: Detects Dllhost that communicates with public IP addresses
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_10:
- DestinationIp: 172.20.*
- SELECTION_11:
- DestinationIp: 172.21.*
- SELECTION_12:
- DestinationIp: 172.22.*
- SELECTION_13:
- DestinationIp: 172.23.*
- SELECTION_14:
- DestinationIp: 172.24.*
- SELECTION_15:
- DestinationIp: 172.25.*
- SELECTION_16:
- DestinationIp: 172.26.*
- SELECTION_17:
- DestinationIp: 172.27.*
- SELECTION_18:
- DestinationIp: 172.28.*
- SELECTION_19:
- DestinationIp: 172.29.*
- SELECTION_2:
- Image: '*\dllhost.exe'
- SELECTION_20:
- DestinationIp: 172.30.*
- SELECTION_21:
- DestinationIp: 172.31.*
- SELECTION_22:
- DestinationIp: 127.*
- SELECTION_3:
- Initiated: 'true'
- SELECTION_4:
- DestinationIp: 10.*
- SELECTION_5:
- DestinationIp: 192.168.*
- SELECTION_6:
- DestinationIp: 172.16.*
- SELECTION_7:
- DestinationIp: 172.17.*
- SELECTION_8:
- DestinationIp: 172.18.*
- SELECTION_9:
- DestinationIp: 172.19.*
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4
- or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
- or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
- or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
- or SELECTION_20 or SELECTION_21 or SELECTION_22)))
-falsepositives:
-- Communication to other corporate systems that use IP addresses from public address
- spaces
-id: cfed2f44-16df-4bf3-833a-79405198b277
-level: medium
-logsource:
- category: network_connection
- product: windows
-modified: 2020/08/24
-references:
-- https://github.com/Neo23x0/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-- attack.execution
-- attack.t1559.001
-- attack.t1175
-yml_filename: sysmon_dllhost_net_connections.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_dns_over_https_enabled.yml b/rules/alert-rules/sigma/sysmon_dns_over_https_enabled.yml
deleted file mode 100644
index 1bfed2fd..00000000
--- a/rules/alert-rules/sigma/sysmon_dns_over_https_enabled.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-title: DNS-over-HTTPS Enabled by Registry
-author: Austin Songer
-date: 2021/07/22
-description: Detects when a user enables DNS-over-HTTPS. This can be used to hide
- internet activity or be used to hide the process of exfiltrating data. With this
- enabled organization will lose visibility into data such as query type, response
- and originating IP that are used to determine bad actors.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
- SELECTION_5:
- Details: DWORD (1)
- SELECTION_6:
- TargetObject: '*\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
- SELECTION_7:
- Details: DWORD (secure)
- SELECTION_8:
- TargetObject: '*\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
- SELECTION_9:
- Details: DWORD (1)
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (((SELECTION_4 and
- SELECTION_5) or (SELECTION_6 and SELECTION_7)) or (SELECTION_8 and SELECTION_9)))
-falsepositives:
-- Unlikely
-id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
-level: medium
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/08
-references:
-- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
-- https://github.com/elastic/detection-rules/issues/1371
-- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
-- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1140
-- attack.t1112
-yml_filename: sysmon_dns_over_https_enabled.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_efspotato_namedpipe.yml b/rules/alert-rules/sigma/sysmon_efspotato_namedpipe.yml
deleted file mode 100644
index 5c507448..00000000
--- a/rules/alert-rules/sigma/sysmon_efspotato_namedpipe.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: EfsPotato Named Pipe
-author: Florian Roth
-date: 2021/08/23
-description: Detects the pattern of a pipe name as used by the tool EfsPotato
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_2:
- EventID: 18
- SELECTION_3:
- PipeName: '*\pipe\\*'
- SELECTION_4:
- PipeName: '*\pipe\srvsvc*'
- condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- Unknown
-id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2
-level: critical
-logsource:
- category: pipe_created
- definition: Note that you have to configure logging for Named Pipe Events in Sysmon
- config (Event ID 17 and Event ID 18). The basic configuration is in popular
- sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
- it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
- https://github.com/olafhartong/sysmon-modular. How to test detection? You
- can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- product: windows
-references:
-- https://twitter.com/SBousseaden/status/1429530155291193354?s=20
-- https://github.com/zcgonvh/EfsPotato
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1055
-yml_filename: sysmon_efspotato_namedpipe.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/sysmon_enabling_cor_profiler_env_variables.yml b/rules/alert-rules/sigma/sysmon_enabling_cor_profiler_env_variables.yml
deleted file mode 100644
index d5849315..00000000
--- a/rules/alert-rules/sigma/sysmon_enabling_cor_profiler_env_variables.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Enabling COR Profiler Environment Variables
-author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
-date: 2020/09/10
-description: This rule detects cor_enable_profiling and cor_profiler environment variables
- being set and configured.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\COR_ENABLE_PROFILING'
- SELECTION_5:
- TargetObject: '*\COR_PROFILER'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
-id: ad89044a-8f49-4673-9a55-cbd88a1b374f
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://twitter.com/jamieantisocial/status/1304520651248668673
-- https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
-- https://www.sans.org/cyber-security-summit/archives
-status: experimental
-tags:
-- attack.persistence
-- attack.privilege_escalation
-- attack.defense_evasion
-- attack.t1574.012
-yml_filename: sysmon_enabling_cor_profiler_env_variables.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_etw_disabled.yml b/rules/alert-rules/sigma/sysmon_etw_disabled.yml
deleted file mode 100644
index 2655cef4..00000000
--- a/rules/alert-rules/sigma/sysmon_etw_disabled.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: COMPlus_ETWEnabled Registry Modification
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/06/05
-description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
- SELECTION_5:
- Details: DWORD (0x00000000)
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
-falsepositives:
-- unknown
-id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
-level: critical
-logsource:
- category: registry_event
- product: windows
-references:
-- https://twitter.com/_xpn_/status/1268712093928378368
-- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
-- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
-- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
-- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
-- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
-- https://bunnyinside.com/?term=f71e8cb9c76a
-- http://managed670.rssing.com/chan-5590147/all_p1.html
-- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1112
-yml_filename: sysmon_etw_disabled.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_excel_outbound_network_connection.yml b/rules/alert-rules/sigma/sysmon_excel_outbound_network_connection.yml
deleted file mode 100644
index 8590f3d9..00000000
--- a/rules/alert-rules/sigma/sysmon_excel_outbound_network_connection.yml
+++ /dev/null
@@ -1,82 +0,0 @@
-title: Excel Network Connections
-author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0"
-date: 2021/11/10
-description: Detects an Excel process that opens suspicious network connections to
- non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely
- have to tune this rule for your organization, but it is certainly something you
- should look for and could have applications for malicious activity beyond CVE-2021-42292.
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_10:
- DestinationIp: 172.19.*
- SELECTION_11:
- DestinationIp: 172.20.*
- SELECTION_12:
- DestinationIp: 172.21.*
- SELECTION_13:
- DestinationIp: 172.22.*
- SELECTION_14:
- DestinationIp: 172.23.*
- SELECTION_15:
- DestinationIp: 172.24.*
- SELECTION_16:
- DestinationIp: 172.25.*
- SELECTION_17:
- DestinationIp: 172.26.*
- SELECTION_18:
- DestinationIp: 172.27.*
- SELECTION_19:
- DestinationIp: 172.28.*
- SELECTION_2:
- Image: '*\excel.exe'
- SELECTION_20:
- DestinationIp: 172.29.*
- SELECTION_21:
- DestinationIp: 172.30.*
- SELECTION_22:
- DestinationIp: 172.31.*
- SELECTION_23:
- DestinationIp: 127.0.0.1*
- SELECTION_24:
- DestinationIsIpv6: 'false'
- SELECTION_3:
- Initiated: 'true'
- SELECTION_4:
- DestinationIsIpv6: 'false'
- SELECTION_5:
- DestinationIp: 10.*
- SELECTION_6:
- DestinationIp: 192.168.*
- SELECTION_7:
- DestinationIp: 172.16.*
- SELECTION_8:
- DestinationIp: 172.17.*
- SELECTION_9:
- DestinationIp: 172.18.*
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not
- ((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
- or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
- or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
- or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23) and SELECTION_24))
-falsepositives:
-- You may have to tune certain domains out that Excel may call out to, such as microsoft
- or other business use case domains.
-- Office documents commonly have templates that refer to external addresses, like
- sharepoint.ourcompany.com may have to be tuned.
-- It is highly recomended to baseline your activity and tune out common business use
- cases.
-id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
-level: medium
-logsource:
- category: network_connection
- product: windows
-references:
-- https://corelight.com/blog/detecting-cve-2021-42292
-status: experimental
-tags:
-- attack.execution
-- attack.t1203
-yml_filename: sysmon_excel_outbound_network_connection.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_expand_cabinet_files.yml b/rules/alert-rules/sigma/sysmon_expand_cabinet_files.yml
deleted file mode 100644
index 47472d53..00000000
--- a/rules/alert-rules/sigma/sysmon_expand_cabinet_files.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-title: Cabinet File Expansion
-author: Bhabesh Raj
-date: 2021/07/30
-description: Adversaries can use the inbuilt expand utility to decompress cab files
- as seen in recent Iranian MeteorExpress attack
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\expand.exe'
- SELECTION_3:
- CommandLine: '*.cab*'
- SELECTION_4:
- CommandLine: '*/F:*'
- SELECTION_5:
- CommandLine: '*-F:*'
- SELECTION_6:
- CommandLine: '*C:\ProgramData\\*'
- SELECTION_7:
- CommandLine: '*C:\Public\\*'
- SELECTION_8:
- CommandLine: '*\AppData\Local\Temp\\*'
- SELECTION_9:
- CommandLine: '*\AppData\Roaming\Temp\\*'
- condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
-falsepositives:
-- System administrator Usage
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: 9f107a84-532c-41af-b005-8d12a607639f
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/08/31
-references:
-- https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
-- https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
-status: experimental
-tags:
-- attack.execution
-- attack.t1218
-yml_filename: sysmon_expand_cabinet_files.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_foggyweb_nobelium.yml b/rules/alert-rules/sigma/sysmon_foggyweb_nobelium.yml
deleted file mode 100644
index 145cac4b..00000000
--- a/rules/alert-rules/sigma/sysmon_foggyweb_nobelium.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-title: FoggyWeb Backdoor DLL Loading
-author: Florian Roth
-date: 2021/09/27
-description: Detects DLL image load activity as used by FoggyWeb backdoor loader
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: C:\Windows\ADFS\version.dll
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Unlikely
-id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
-level: critical
-logsource:
- category: image_load
- product: windows
-references:
-- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
-status: experimental
-yml_filename: sysmon_foggyweb_nobelium.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_ghostpack_safetykatz.yml b/rules/alert-rules/sigma/sysmon_ghostpack_safetykatz.yml
deleted file mode 100644
index f27d8af8..00000000
--- a/rules/alert-rules/sigma/sysmon_ghostpack_safetykatz.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Detection of SafetyKatz
-author: Markus Neis
-date: 2018/07/24
-description: Detects possible SafetyKatz Behaviour
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\Temp\debug.bin'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Unknown
-id: e074832a-eada-4fd7-94a1-10642b130e16
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2020/08/23
-references:
-- https://github.com/GhostPack/SafetyKatz
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.001
-yml_filename: sysmon_ghostpack_safetykatz.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_hack_wce.yml b/rules/alert-rules/sigma/sysmon_hack_wce.yml
deleted file mode 100644
index 6740e6d3..00000000
--- a/rules/alert-rules/sigma/sysmon_hack_wce.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Windows Credential Editor
-author: Florian Roth
-date: 2019/12/31
-description: Detects the use of Windows Credential Editor (WCE)
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- EventID: 1
- SELECTION_3:
- Imphash: a53a02b997935fd8eedcb5f7abab9b9f
- SELECTION_4:
- Imphash: e96a73c7bf33a464c510ede582318bf2
- SELECTION_5:
- CommandLine: '*.exe -S'
- SELECTION_6:
- ParentImage: '*\services.exe'
- SELECTION_7:
- Image: '*\clussvc.exe'
- condition: (SELECTION_1 and (SELECTION_2 and ((SELECTION_3 or SELECTION_4) or
- (SELECTION_5 and SELECTION_6))) and not (SELECTION_7))
-falsepositives:
-- Another service that uses a single -s command line switch
-id: 7aa7009a-28b9-4344-8c1f-159489a390df
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/07/15
-references:
-- https://www.ampliasecurity.com/research/windows-credentials-editor/
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.001
-- attack.s0005
-yml_filename: sysmon_hack_wce.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_hack_wce_reg.yml b/rules/alert-rules/sigma/sysmon_hack_wce_reg.yml
deleted file mode 100644
index 9c039f1b..00000000
--- a/rules/alert-rules/sigma/sysmon_hack_wce_reg.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Windows Credential Editor Registry
-author: Florian Roth
-date: 2019/12/31
-description: Detects the use of Windows Credential Editor (WCE)
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*Services\WCESERVICE\Start*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- Unknown
-id: a6b33c02-8305-488f-8585-03cb2a7763f2
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2020/09/06
-references:
-- https://www.ampliasecurity.com/research/windows-credentials-editor/
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.001
-- attack.s0005
-yml_filename: sysmon_hack_wce_reg.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_high_integrity_sdclt.yml b/rules/alert-rules/sigma/sysmon_high_integrity_sdclt.yml
deleted file mode 100644
index 4764785e..00000000
--- a/rules/alert-rules/sigma/sysmon_high_integrity_sdclt.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: High Integrity Sdclt Process
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A General detection for sdclt being spawned as an elevated process. This
- could be an indicator of sdclt being used for bypass UAC techniques.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*sdclt.exe'
- SELECTION_3:
- IntegrityLevel: High
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- unknown
-id: 40f9af16-589d-4984-b78d-8c2aec023197
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/OTRF/detection-hackathon-apt29/issues/6
-- https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
-status: experimental
-tags:
-- attack.privilege_escalation
-- attack.defense_evasion
-- attack.t1548.002
-yml_filename: sysmon_high_integrity_sdclt.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/alert-rules/sigma/sysmon_hybridconnectionmgr_svc_installation.yml
deleted file mode 100644
index 46517e2c..00000000
--- a/rules/alert-rules/sigma/sysmon_hybridconnectionmgr_svc_installation.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: HybridConnectionManager Service Installation
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2021/04/12
-description: Detects the installation of the Azure Hybrid Connection Manager service
- to allow remote code execution from Azure function.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Services\HybridConnectionManager*'
- SELECTION_5:
- Details: '*Microsoft.HybridConnectionManager.Listener.exe*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
-falsepositives:
-- Unknown
-id: ac8866c7-ce44-46fd-8c17-b24acff96ca8
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
-status: experimental
-tags:
-- attack.persistence
-yml_filename: sysmon_hybridconnectionmgr_svc_installation.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_in_memory_assembly_execution.yml b/rules/alert-rules/sigma/sysmon_in_memory_assembly_execution.yml
deleted file mode 100644
index c956517f..00000000
--- a/rules/alert-rules/sigma/sysmon_in_memory_assembly_execution.yml
+++ /dev/null
@@ -1,80 +0,0 @@
-title: Suspicious In-Memory Module Execution
-author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
-date: 2019/10/27
-description: Detects the access to processes by other suspicious processes which have
- reflectively loaded libraries in their memory space. An example is SilentTrinity
- C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack
- call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as
- the module name. Usually this means the stack call points to a module that was
- reflectively loaded in memory. Adding to this, it is not common to see such few
- calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially
- means that most of the functions required by the process to execute certain routines
- are already present in memory, not requiring any calls to external libraries.
- The latter should also be considered suspicious.
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_10:
- GrantedAccess: '0x1F0FFF'
- SELECTION_11:
- GrantedAccess: '0x1F1FFF'
- SELECTION_12:
- GrantedAccess: '0x143A'
- SELECTION_13:
- GrantedAccess: '0x1410'
- SELECTION_14:
- GrantedAccess: '0x1010'
- SELECTION_15:
- GrantedAccess: '0x1F2FFF'
- SELECTION_16:
- GrantedAccess: '0x1F3FFF'
- SELECTION_17:
- GrantedAccess: '0x1FFFFF'
- SELECTION_18:
- SourceImage: '*\Windows\System32\sdiagnhost.exe'
- SELECTION_2:
- CallTrace: '*C:\WINDOWS\SYSTEM32\ntdll.dll+*'
- SELECTION_3:
- CallTrace: '*|C:\WINDOWS\System32\KERNELBASE.dll+*'
- SELECTION_4:
- CallTrace: '*|UNKNOWN(*'
- SELECTION_5:
- CallTrace: '*)*'
- SELECTION_6:
- CallTrace: '*UNKNOWN(*'
- SELECTION_7:
- CallTrace: '*)|UNKNOWN(*'
- SELECTION_8:
- CallTrace: '*)'
- SELECTION_9:
- CallTrace: '*UNKNOWN*'
- condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3 and SELECTION_4 and
- SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or ((SELECTION_9
- and (SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
- or SELECTION_15 or SELECTION_16 or SELECTION_17)) and not ((SELECTION_18)))))
-falsepositives:
-- Low
-fields:
-- ComputerName
-- User
-- SourceImage
-- TargetImage
-- CallTrace
-id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
-level: critical
-logsource:
- category: process_access
- product: windows
-modified: 2021/10/21
-references:
-- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
-status: experimental
-tags:
-- attack.privilege_escalation
-- attack.defense_evasion
-- attack.t1055.001
-- attack.t1055.002
-- attack.t1055
-yml_filename: sysmon_in_memory_assembly_execution.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_in_memory_powershell.yml b/rules/alert-rules/sigma/sysmon_in_memory_powershell.yml
deleted file mode 100644
index da410a09..00000000
--- a/rules/alert-rules/sigma/sysmon_in_memory_powershell.yml
+++ /dev/null
@@ -1,66 +0,0 @@
-title: In-memory PowerShell
-author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
-date: 2019/11/14
-description: Detects loading of essential DLL used by PowerShell, but not by the process
- powershell.exe. Detects meterpreter's "load powershell" extension.
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_10:
- Image: '*\wsmprovhost.exe'
- SELECTION_11:
- Image: '*\winrshost.exe'
- SELECTION_12:
- Image: '*\syncappvpublishingserver.exe'
- SELECTION_13:
- Image: '*\runscripthelper.exe'
- SELECTION_14:
- Image: '*\ServerManager.exe'
- SELECTION_15:
- Image: '*\Microsoft SQL Server Management Studio *\Common*\IDE\Ssms.exe'
- SELECTION_2:
- ImageLoaded: '*\System.Management.Automation.Dll'
- SELECTION_3:
- ImageLoaded: '*\System.Management.Automation.ni.Dll'
- SELECTION_4:
- Image: '*\powershell.exe'
- SELECTION_5:
- Image: '*\powershell_ise.exe'
- SELECTION_6:
- Image: '*\WINDOWS\System32\sdiagnhost.exe'
- SELECTION_7:
- Image: '*\mscorsvw.exe'
- SELECTION_8:
- Image: '*\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
- SELECTION_9:
- Image: '*\sqlps.exe'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and not ((SELECTION_4
- or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
- or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
- or SELECTION_15)))
-enrichment:
-- EN_0001_cache_sysmon_event_id_1_info
-- EN_0003_enrich_other_sysmon_events_with_event_id_1_data
-falsepositives:
-- Used by some .NET binaries, minimal on user workstation.
-- Used by Microsoft SQL Server Management Studio
-id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2021/11/11
-references:
-- https://adsecurity.org/?p=2921
-- https://github.com/p3nt4/PowerShdll
-related:
-- id: 867613fb-fa60-4497-a017-a82df74a172c
- type: obsoletes
-status: experimental
-tags:
-- attack.t1086
-- attack.t1059.001
-- attack.execution
-yml_filename: sysmon_in_memory_powershell.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_invoke_phantom.yml b/rules/alert-rules/sigma/sysmon_invoke_phantom.yml
deleted file mode 100644
index 0516ecf2..00000000
--- a/rules/alert-rules/sigma/sysmon_invoke_phantom.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Suspect Svchost Memory Asccess
-author: Tim Burrell
-date: 2020/01/02
-description: Detects suspect access to svchost process memory such as that used by
- Invoke-Phantom to kill the winRM windows event logging service.
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- TargetImage: '*\WINDOWS\System32\svchost.exe'
- SELECTION_3:
- GrantedAccess: '0x1F3FFF'
- SELECTION_4:
- CallTrace: '*UNKNOWN*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- unknown
-id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
-level: high
-logsource:
- category: process_access
- product: windows
-modified: 2021/10/21
-references:
-- https://github.com/hlldz/Invoke-Phant0m
-- https://twitter.com/timbmsft/status/900724491076214784
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562.002
-- attack.t1089
-yml_filename: sysmon_invoke_phantom.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/alert-rules/sigma/sysmon_lazagne_cred_dump_lsass_access.yml
deleted file mode 100644
index 8ba75ce6..00000000
--- a/rules/alert-rules/sigma/sysmon_lazagne_cred_dump_lsass_access.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Credential Dumping by LaZagne
-author: Bhabesh Raj, Jonhnathan Ribeiro
-date: 2020/09/09
-description: Detects LSASS process access by LaZagne for credential dumping.
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- TargetImage: '*\lsass.exe'
- SELECTION_3:
- CallTrace: '*C:\\Windows\\SYSTEM32\\ntdll.dll+*'
- SELECTION_4:
- CallTrace: '*|C:\\Windows\\System32\\KERNELBASE.dll+*'
- SELECTION_5:
- CallTrace: '*_ctypes.pyd+*'
- SELECTION_6:
- CallTrace: '*python27.dll+*'
- SELECTION_7:
- GrantedAccess: '0x1FFFFF'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
- and SELECTION_6 and SELECTION_7)
-falsepositives:
-- Unknown
-id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
-level: critical
-logsource:
- category: process_access
- product: windows
-references:
-- https://twitter.com/bh4b3sh/status/1303674603819081728
-status: stable
-tags:
-- attack.credential_access
-- attack.t1003.001
-- attack.s0349
-yml_filename: sysmon_lazagne_cred_dump_lsass_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_littlecorporal_generated_maldoc.yml b/rules/alert-rules/sigma/sysmon_littlecorporal_generated_maldoc.yml
deleted file mode 100644
index 7fa76c84..00000000
--- a/rules/alert-rules/sigma/sysmon_littlecorporal_generated_maldoc.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: LittleCorporal Generated Maldoc Injection
-author: Christian Burkard
-date: 2021/08/09
-description: Detects the process injection of a LittleCorporal generated Maldoc.
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- SourceImage: '*winword.exe'
- SELECTION_3:
- CallTrace: '*:\Windows\Microsoft.NET\Framework64\v2.*'
- SELECTION_4:
- CallTrace: '*UNKNOWN*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- unknown
-id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
-level: high
-logsource:
- category: process_access
- product: windows
-references:
-- https://github.com/connormcgarr/LittleCorporal
-status: experimental
-tags:
-- attack.execution
-- attack.t1204.002
-- attack.t1055.003
-yml_filename: sysmon_littlecorporal_generated_maldoc.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/alert-rules/sigma/sysmon_load_undocumented_autoelevated_com_interface.yml
deleted file mode 100644
index c6562d03..00000000
--- a/rules/alert-rules/sigma/sysmon_load_undocumented_autoelevated_com_interface.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Load Undocumented Autoelevated COM Interface
-author: oscd.community, Dmitry Uchakin
-date: 2020/10/07
-description: COM interface (EditionUpgradeManager) that is not used by standard executables.
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- CallTrace: '*editionupgrademanagerobj.dll*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unknown
-fields:
-- ComputerName
-- User
-- SourceImage
-- TargetImage
-- CallTrace
-id: fb3722e4-1a06-46b6-b772-253e2e7db933
-level: high
-logsource:
- category: process_access
- product: windows
-references:
-- https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
-- https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: sysmon_load_undocumented_autoelevated_com_interface.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/alert-rules/sigma/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
deleted file mode 100644
index 860bd884..00000000
--- a/rules/alert-rules/sigma/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Logon Scripts (UserInitMprLogonScript)
-author: Tom Ueltschi (@c_APT_ure)
-date: 2019/01/12
-description: Detects creation or execution of UserInitMprLogonScript persistence method
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- EventID: 1
- SELECTION_3:
- ParentImage: '*\userinit.exe'
- SELECTION_4:
- Image: '*\explorer.exe'
- SELECTION_5:
- CommandLine: '*netlogon.bat*'
- SELECTION_6:
- CommandLine: '*UsrLogon.cmd*'
- SELECTION_7:
- CommandLine: '*UserInitMprLogonScript*'
- condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 and not (SELECTION_4))
- and not ((SELECTION_5 or SELECTION_6))) or SELECTION_7))
-falsepositives:
-- exclude legitimate logon scripts
-- penetration tests, red teaming
-id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/26
-references:
-- https://attack.mitre.org/techniques/T1037/
-status: experimental
-tags:
-- attack.t1037
-- attack.t1037.001
-- attack.persistence
-yml_filename: sysmon_logon_scripts_userinitmprlogonscript_proc.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/alert-rules/sigma/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
deleted file mode 100644
index 1e5de4ca..00000000
--- a/rules/alert-rules/sigma/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Logon Scripts (UserInitMprLogonScript) Registry
-author: Tom Ueltschi (@c_APT_ure)
-date: 2019/01/12
-description: Detects creation or execution of UserInitMprLogonScript persistence method
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*UserInitMprLogonScript*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- exclude legitimate logon scripts
-- penetration tests, red teaming
-id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2020/07/01
-references:
-- https://attack.mitre.org/techniques/T1037/
-status: experimental
-tags:
-- attack.t1037
-- attack.t1037.001
-- attack.persistence
-- attack.lateral_movement
-yml_filename: sysmon_logon_scripts_userinitmprlogonscript_reg.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_long_powershell_commandline.yml b/rules/alert-rules/sigma/sysmon_long_powershell_commandline.yml
deleted file mode 100644
index 9b456010..00000000
--- a/rules/alert-rules/sigma/sysmon_long_powershell_commandline.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Too Long PowerShell Commandlines
-author: oscd.community, Natalia Shornikova
-date: 2020/10/06
-description: Detects Too long PowerShell command lines
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*powershell*'
- SELECTION_3:
- CommandLine: '*pwsh*'
- SELECTION_4:
- Description: Windows Powershell
- SELECTION_5:
- Product: PowerShell Core 6
- SELECTION_6:
- CommandLine|re: .{1000,}
- condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or SELECTION_4 or SELECTION_5)
- and SELECTION_6)
-falsepositives:
-- Unknown
-id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/05/21
-references:
-- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-yml_filename: sysmon_long_powershell_commandline.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_lsass_dump_comsvcs_dll.yml b/rules/alert-rules/sigma/sysmon_lsass_dump_comsvcs_dll.yml
deleted file mode 100644
index e43387d6..00000000
--- a/rules/alert-rules/sigma/sysmon_lsass_dump_comsvcs_dll.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Lsass Memory Dump via Comsvcs DLL
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/10/20
-description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll
- via rundll32 to perform a memory dump from lsass.
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- TargetImage: '*\lsass.exe'
- SELECTION_3:
- SourceImage: C:\Windows\System32\rundll32.exe
- SELECTION_4:
- CallTrace: '*comsvcs.dll*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-id: a49fa4d5-11db-418c-8473-1e014a8dd462
-level: critical
-logsource:
- category: process_access
- product: windows
-modified: 2021/06/21
-references:
-- https://twitter.com/shantanukhande/status/1229348874298388484
-- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003.001
-yml_filename: sysmon_lsass_dump_comsvcs_dll.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_lsass_memdump.yml b/rules/alert-rules/sigma/sysmon_lsass_memdump.yml
deleted file mode 100644
index 7c9b9049..00000000
--- a/rules/alert-rules/sigma/sysmon_lsass_memdump.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: LSASS Memory Dump
-author: Samir Bousseaden
-date: 2019/04/03
-description: Detects process LSASS memory dump using procdump or taskmgr based on
- the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- TargetImage: '*\lsass.exe'
- SELECTION_3:
- GrantedAccess: '0x1fffff'
- SELECTION_4:
- CallTrace: '*dbghelp.dll*'
- SELECTION_5:
- CallTrace: '*dbgcore.dll*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
-falsepositives:
-- unknown
-id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
-level: high
-logsource:
- category: process_access
- product: windows
-modified: 2021/06/21
-references:
-- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003.001
-- attack.t1003
-- attack.s0002
-yml_filename: sysmon_lsass_memdump.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_lsass_memory_dump_file_creation.yml b/rules/alert-rules/sigma/sysmon_lsass_memory_dump_file_creation.yml
deleted file mode 100644
index 091246e1..00000000
--- a/rules/alert-rules/sigma/sysmon_lsass_memory_dump_file_creation.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: LSASS Memory Dump File Creation
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/10/22
-description: LSASS memory dump creation using operating systems utilities. Procdump
- will use process name in output file if no name is specified
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*lsass*'
- SELECTION_3:
- TargetFilename: '*dmp'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Dumping lsass memory for forensic investigation purposes by legitimate incident
- responder or forensic invetigator
-- Dumps of another process that contains lsass in its process name (substring)
-fields:
-- ComputerName
-- TargetFilename
-id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2021/08/16
-references:
-- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.001
-yml_filename: sysmon_lsass_memory_dump_file_creation.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_mal_cobaltstrike.yml b/rules/alert-rules/sigma/sysmon_mal_cobaltstrike.yml
deleted file mode 100644
index 3f6962a0..00000000
--- a/rules/alert-rules/sigma/sysmon_mal_cobaltstrike.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-title: CobaltStrike Named Pipe
-author: Florian Roth, Wojciech Lesicki
-date: 2021/05/25
-description: Detects the creation of a named pipe as used by CobaltStrike
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_2:
- EventID: 18
- SELECTION_3:
- PipeName: '*\MSSE-*'
- SELECTION_4:
- PipeName: '*-server*'
- SELECTION_5:
- PipeName: \postex_*
- SELECTION_6:
- PipeName: \postex_ssh_*
- SELECTION_7:
- PipeName: \status_*
- SELECTION_8:
- PipeName: \msagent_*
- condition: ((SELECTION_1 or SELECTION_2) and ((SELECTION_3 and SELECTION_4) or
- SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8))
-falsepositives:
-- Unknown
-id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
-level: critical
-logsource:
- category: pipe_created
- definition: Note that you have to configure logging for Named Pipe Events in Sysmon
- config (Event ID 17 and Event ID 18). The basic configuration is in popular
- sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
- it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
- https://github.com/olafhartong/sysmon-modular. How to test detection? You
- can always use Cobalt Strike, but also you can check powershell script from
- this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- product: windows
-references:
-- https://twitter.com/d4rksystem/status/1357010969264873472
-- https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
-- https://github.com/Neo23x0/sigma/issues/253
-- https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1055
-yml_filename: sysmon_mal_cobaltstrike.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/sysmon_mal_cobaltstrike_re.yml b/rules/alert-rules/sigma/sysmon_mal_cobaltstrike_re.yml
deleted file mode 100644
index a2927628..00000000
--- a/rules/alert-rules/sigma/sysmon_mal_cobaltstrike_re.yml
+++ /dev/null
@@ -1,80 +0,0 @@
-title: CobaltStrike Named Pipe Pattern Regex
-author: Florian Roth
-date: 2021/07/30
-description: Detects the creation of a named pipe matching a pattern used by CobaltStrike
- Malleable C2 profiles
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_10:
- PipeName|re: \\\\ntsvcs_[0-9a-f]{2}
- SELECTION_11:
- PipeName|re: \\\\scerpc_?[0-9a-f]{2}
- SELECTION_12:
- PipeName|re: \\\\PGMessagePipe[0-9a-f]{2}
- SELECTION_13:
- PipeName|re: \\\\MsFteWds[0-9a-f]{2}
- SELECTION_14:
- PipeName|re: \\\\f4c3[0-9a-f]{2}
- SELECTION_15:
- PipeName|re: \\\\fullduplex_[0-9a-f]{2}
- SELECTION_16:
- PipeName|re: \\\\msrpc_[0-9a-f]{4}
- SELECTION_17:
- PipeName|re: \\\\win\\\\msrpc_[0-9a-f]{2}
- SELECTION_18:
- PipeName|re: \\\\f53f[0-9a-f]{2}
- SELECTION_19:
- PipeName|re: \\\\rpc_[0-9a-f]{2}
- SELECTION_2:
- EventID: 18
- SELECTION_20:
- PipeName|re: \\\\spoolss_[0-9a-f]{2}
- SELECTION_21:
- PipeName|re: \\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,
- SELECTION_3:
- PipeName|re: \\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}
- SELECTION_4:
- PipeName|re: \\\\wkssvc_?[0-9a-f]{2}
- SELECTION_5:
- PipeName|re: \\\\ntsvcs[0-9a-f]{2}
- SELECTION_6:
- PipeName|re: \\\\DserNamePipe[0-9a-f]{2}
- SELECTION_7:
- PipeName|re: \\\\SearchTextHarvester[0-9a-f]{2}
- SELECTION_8:
- PipeName|re: \\\\mypipe\-(?:f|h)[0-9a-f]{2}
- SELECTION_9:
- PipeName|re: \\\\windows\.update\.manager[0-9a-f]{2,3}
- condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21))
-falsepositives:
-- Unknown
-id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
-level: critical
-logsource:
- category: pipe_created
- definition: Note that you have to configure logging for Named Pipe Events in Sysmon
- config (Event ID 17 and Event ID 18). The basic configuration is in popular
- sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
- it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
- https://github.com/olafhartong/sysmon-modular You can also use other repo,
- e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular.
- How to test detection? You can always use Cobalt Strike, but also you can
- check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- product: windows
-modified: 2021/09/02
-references:
-- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
-- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1055
-yml_filename: sysmon_mal_cobaltstrike_re.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/sysmon_mal_namedpipes.yml b/rules/alert-rules/sigma/sysmon_mal_namedpipes.yml
deleted file mode 100644
index b0384e87..00000000
--- a/rules/alert-rules/sigma/sysmon_mal_namedpipes.yml
+++ /dev/null
@@ -1,101 +0,0 @@
-title: Malicious Named Pipe
-author: Florian Roth, blueteam0ps, elhoim
-date: 2017/11/06
-description: Detects the creation of a named pipe used by known APT malware
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_10:
- PipeName: \46a676ab7f179e511e30dd2dc41bd388
- SELECTION_11:
- PipeName: \9f81f59bc58452127884ce513865ed20
- SELECTION_12:
- PipeName: \e710f28d59aa529d6792ca6ff0ca1b34
- SELECTION_13:
- PipeName: \rpchlp_3
- SELECTION_14:
- PipeName: \NamePipe_MoreWindows
- SELECTION_15:
- PipeName: \pcheap_reuse
- SELECTION_16:
- PipeName: \gruntsvc
- SELECTION_17:
- PipeName: \583da945-62af-10e8-4902-a8f205c72b2e
- SELECTION_18:
- PipeName: \bizkaz
- SELECTION_19:
- PipeName: \svcctl
- SELECTION_2:
- EventID: 18
- SELECTION_20:
- PipeName: \Posh*
- SELECTION_21:
- PipeName: \jaccdpqnvbrrxlaf
- SELECTION_22:
- PipeName: \csexecsvc
- SELECTION_23:
- PipeName: \6e7645c4-32c5-4fe3-aabf-e94c2f4370e7
- SELECTION_24:
- PipeName: \adschemerpc
- SELECTION_25:
- PipeName: \AnonymousPipe
- SELECTION_26:
- PipeName: \bc367
- SELECTION_27:
- PipeName: \bc31a7
- SELECTION_28:
- PipeName: \testPipe
- SELECTION_3:
- PipeName: \isapi_http
- SELECTION_4:
- PipeName: \isapi_dg
- SELECTION_5:
- PipeName: \isapi_dg2
- SELECTION_6:
- PipeName: \sdlrpc
- SELECTION_7:
- PipeName: \ahexec
- SELECTION_8:
- PipeName: \winsession
- SELECTION_9:
- PipeName: \lsassw
- condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
- or SELECTION_26 or SELECTION_27 or SELECTION_28))
-falsepositives:
-- Unknown
-id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
-level: critical
-logsource:
- category: pipe_created
- definition: Note that you have to configure logging for Named Pipe Events in Sysmon
- config (Event ID 17 and Event ID 18). The basic configuration is in popular
- sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
- it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
- https://github.com/olafhartong/sysmon-modular. How to test detection? You
- can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- product: windows
-modified: 2021/10/30
-references:
-- https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
-- https://securelist.com/faq-the-projectsauron-apt/75533/
-- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
-- https://www.us-cert.gov/ncas/alerts/TA17-117A
-- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
-- https://thedfirreport.com/2020/06/21/snatch-ransomware/
-- https://github.com/RiccardoAncarani/LiquidSnake
-- https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
-- https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
-- https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
-- https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1055
-yml_filename: sysmon_mal_namedpipes.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/sysmon_malware_backconnect_ports.yml b/rules/alert-rules/sigma/sysmon_malware_backconnect_ports.yml
deleted file mode 100644
index 57acad65..00000000
--- a/rules/alert-rules/sigma/sysmon_malware_backconnect_ports.yml
+++ /dev/null
@@ -1,190 +0,0 @@
-title: Suspicious Typical Malware Back Connect Ports
-author: Florian Roth
-date: 2017/03/19
-description: Detects programs that connect to typical malware back connect ports based
- on statistical analysis from two different sandbox system databases
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_10:
- DestinationPort: '13506'
- SELECTION_11:
- DestinationPort: '3360'
- SELECTION_12:
- DestinationPort: '200'
- SELECTION_13:
- DestinationPort: '198'
- SELECTION_14:
- DestinationPort: '49180'
- SELECTION_15:
- DestinationPort: '13507'
- SELECTION_16:
- DestinationPort: '6625'
- SELECTION_17:
- DestinationPort: '4444'
- SELECTION_18:
- DestinationPort: '4438'
- SELECTION_19:
- DestinationPort: '1904'
- SELECTION_2:
- Initiated: 'true'
- SELECTION_20:
- DestinationPort: '13505'
- SELECTION_21:
- DestinationPort: '13504'
- SELECTION_22:
- DestinationPort: '12102'
- SELECTION_23:
- DestinationPort: '9631'
- SELECTION_24:
- DestinationPort: '5445'
- SELECTION_25:
- DestinationPort: '2443'
- SELECTION_26:
- DestinationPort: '777'
- SELECTION_27:
- DestinationPort: '13394'
- SELECTION_28:
- DestinationPort: '13145'
- SELECTION_29:
- DestinationPort: '12103'
- SELECTION_3:
- DestinationPort: '4443'
- SELECTION_30:
- DestinationPort: '5552'
- SELECTION_31:
- DestinationPort: '3939'
- SELECTION_32:
- DestinationPort: '3675'
- SELECTION_33:
- DestinationPort: '666'
- SELECTION_34:
- DestinationPort: '473'
- SELECTION_35:
- DestinationPort: '5649'
- SELECTION_36:
- DestinationPort: '4455'
- SELECTION_37:
- DestinationPort: '4433'
- SELECTION_38:
- DestinationPort: '1817'
- SELECTION_39:
- DestinationPort: '100'
- SELECTION_4:
- DestinationPort: '2448'
- SELECTION_40:
- DestinationPort: '65520'
- SELECTION_41:
- DestinationPort: '1960'
- SELECTION_42:
- DestinationPort: '1515'
- SELECTION_43:
- DestinationPort: '743'
- SELECTION_44:
- DestinationPort: '700'
- SELECTION_45:
- DestinationPort: '14154'
- SELECTION_46:
- DestinationPort: '14103'
- SELECTION_47:
- DestinationPort: '14102'
- SELECTION_48:
- DestinationPort: '12322'
- SELECTION_49:
- DestinationPort: '10101'
- SELECTION_5:
- DestinationPort: '8143'
- SELECTION_50:
- DestinationPort: '7210'
- SELECTION_51:
- DestinationPort: '4040'
- SELECTION_52:
- DestinationPort: '9943'
- SELECTION_53:
- EventID: 3
- SELECTION_54:
- Image: '*\Program Files*'
- SELECTION_55:
- DestinationIp: 10.*
- SELECTION_56:
- DestinationIp: 192.168.*
- SELECTION_57:
- DestinationIp: 172.16.*
- SELECTION_58:
- DestinationIp: 172.17.*
- SELECTION_59:
- DestinationIp: 172.18.*
- SELECTION_6:
- DestinationPort: '1777'
- SELECTION_60:
- DestinationIp: 172.19.*
- SELECTION_61:
- DestinationIp: 172.20.*
- SELECTION_62:
- DestinationIp: 172.21.*
- SELECTION_63:
- DestinationIp: 172.22.*
- SELECTION_64:
- DestinationIp: 172.23.*
- SELECTION_65:
- DestinationIp: 172.24.*
- SELECTION_66:
- DestinationIp: 172.25.*
- SELECTION_67:
- DestinationIp: 172.26.*
- SELECTION_68:
- DestinationIp: 172.27.*
- SELECTION_69:
- DestinationIp: 172.28.*
- SELECTION_7:
- DestinationPort: '1443'
- SELECTION_70:
- DestinationIp: 172.29.*
- SELECTION_71:
- DestinationIp: 172.30.*
- SELECTION_72:
- DestinationIp: 172.31.*
- SELECTION_73:
- DestinationIp: 127.*
- SELECTION_74:
- DestinationIsIpv6: 'false'
- SELECTION_8:
- DestinationPort: '243'
- SELECTION_9:
- DestinationPort: '65535'
- condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
- or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
- or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
- or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
- or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
- or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
- or SELECTION_51 or SELECTION_52)) and not ((SELECTION_53 and (SELECTION_54
- or ((SELECTION_55 or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59
- or SELECTION_60 or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64
- or SELECTION_65 or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69
- or SELECTION_70 or SELECTION_71 or SELECTION_72 or SELECTION_73) and SELECTION_74)))))
-falsepositives:
-- unknown
-id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
-level: medium
-logsource:
- category: network_connection
- definition: 'Use the following config to generate the necessary Event ID 10 Process
- Access events: VBE7.DLLUNKNOWN'
- product: windows
-modified: 2020/08/24
-references:
-- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
-status: experimental
-tags:
-- attack.command_and_control
-- attack.t1571
-- attack.t1043
-yml_filename: sysmon_malware_backconnect_ports.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_malware_verclsid_shellcode.yml b/rules/alert-rules/sigma/sysmon_malware_verclsid_shellcode.yml
deleted file mode 100644
index 02aca63f..00000000
--- a/rules/alert-rules/sigma/sysmon_malware_verclsid_shellcode.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Malware Shellcode in Verclsid Target Process
-author: John Lambert (tech), Florian Roth (rule)
-date: 2017/03/04
-description: Detects a process access to verclsid.exe that injects shellcode from
- a Microsoft Office application / VBA macro
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- TargetImage: '*\verclsid.exe'
- SELECTION_3:
- GrantedAccess: '0x1FFFFF'
- SELECTION_4:
- CallTrace: '*|UNKNOWN(*'
- SELECTION_5:
- CallTrace: '*VBE7.DLL*'
- SELECTION_6:
- SourceImage: '*\Microsoft Office\\*'
- SELECTION_7:
- CallTrace: '*|UNKNOWN*'
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and ((SELECTION_4 and
- SELECTION_5) or (SELECTION_6 and SELECTION_7)))
-falsepositives:
-- unknown
-id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
-level: high
-logsource:
- category: process_access
- definition: 'Use the following config to generate the necessary Event ID 10 Process
- Access events: VBE7.DLLUNKNOWN'
- product: windows
-references:
-- https://twitter.com/JohnLaTwC/status/837743453039534080
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1055
-yml_filename: sysmon_malware_verclsid_shellcode.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_mimikatz_detection_lsass.yml b/rules/alert-rules/sigma/sysmon_mimikatz_detection_lsass.yml
deleted file mode 100644
index 4ef7742b..00000000
--- a/rules/alert-rules/sigma/sysmon_mimikatz_detection_lsass.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Mimikatz Detection LSASS Access
-author: Sherif Eldeeb
-date: 2017/10/18
-description: Detects process access to LSASS which is typical for Mimikatz (0x1000
- PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old
- versions", 0x0010 PROCESS_VM_READ)
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- TargetImage: '*\lsass.exe'
- SELECTION_3:
- GrantedAccess: '0x1410'
- SELECTION_4:
- GrantedAccess: '0x1010'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- Some security products access LSASS in this way.
-fields:
-- ComputerName
-- User
-- SourceImage
-id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9
-level: high
-logsource:
- category: process_access
- product: windows
-modified: 2021/06/21
-references:
-- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
-- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
-status: deprecated
-tags:
-- attack.t1003
-- attack.s0002
-- attack.credential_access
-- car.2019-04-004
-yml_filename: sysmon_mimikatz_detection_lsass.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
-
diff --git a/rules/alert-rules/sigma/sysmon_mimikatz_trough_winrm.yml b/rules/alert-rules/sigma/sysmon_mimikatz_trough_winrm.yml
deleted file mode 100644
index 98ba206a..00000000
--- a/rules/alert-rules/sigma/sysmon_mimikatz_trough_winrm.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Mimikatz through Windows Remote Management
-author: Patryk Prauze - ING Tech
-date: 2019/05/20
-description: Detects usage of mimikatz through WinRM protocol by monitoring access
- to lsass process by wsmprovhost.exe.
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- TargetImage: '*\lsass.exe'
- SELECTION_3:
- SourceImage: C:\Windows\system32\wsmprovhost.exe
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- low
-id: aa35a627-33fb-4d04-a165-d33b4afca3e8
-level: high
-logsource:
- category: process_access
- product: windows
-modified: 2021/06/21
-references:
-- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
-status: stable
-tags:
-- attack.credential_access
-- attack.execution
-- attack.t1003.001
-- attack.t1003
-- attack.t1059.001
-- attack.t1086
-- attack.lateral_movement
-- attack.t1021.006
-- attack.t1028
-- attack.s0002
-yml_filename: sysmon_mimikatz_trough_winrm.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_modify_screensaver_binary_path.yml b/rules/alert-rules/sigma/sysmon_modify_screensaver_binary_path.yml
deleted file mode 100644
index 9710b857..00000000
--- a/rules/alert-rules/sigma/sysmon_modify_screensaver_binary_path.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Path To Screensaver Binary Modified
-author: Bartlomiej Czyz @bczyz1, oscd.community
-date: 2020/10/11
-description: Detects value modification of registry key containing path to binary
- used as screensaver.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Control Panel\Desktop\SCRNSAVE.EXE'
- SELECTION_5:
- Image: '*\rundll32.exe'
- SELECTION_6:
- Image: '*\explorer.exe'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and not
- ((SELECTION_5 or SELECTION_6)))
-falsepositives:
-- Legitimate modification of screensaver.
-id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
-level: medium
-logsource:
- category: registry_event
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
-- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
-status: experimental
-tags:
-- attack.persistence
-- attack.privilege_escalation
-- attack.t1546.002
-yml_filename: sysmon_modify_screensaver_binary_path.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_narrator_feedback_persistance.yml b/rules/alert-rules/sigma/sysmon_narrator_feedback_persistance.yml
deleted file mode 100644
index 8590ff12..00000000
--- a/rules/alert-rules/sigma/sysmon_narrator_feedback_persistance.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Narrator's Feedback-Hub Persistence
-author: Dmitriy Lifanov, oscd.community
-date: 2019/10/25
-description: Detects abusing Windows 10 Narrator's Feedback-Hub
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: DeleteValue
- SELECTION_5:
- TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
- SELECTION_6:
- TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and
- SELECTION_5) or SELECTION_6))
-falsepositives:
-- unknown
-id: f663a6d9-9d1b-49b8-b2b1-0637914d199a
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2020/09/06
-references:
-- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
-status: experimental
-tags:
-- attack.persistence
-- attack.t1060
-- attack.t1547.001
-yml_filename: sysmon_narrator_feedback_persistance.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_netcat_execution.yml b/rules/alert-rules/sigma/sysmon_netcat_execution.yml
deleted file mode 100644
index e725df02..00000000
--- a/rules/alert-rules/sigma/sysmon_netcat_execution.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Ncat Execution
-author: frack113
-date: 2021/07/21
-description: Adversaries may use a non-application layer protocol for communication
- between host and C2 server or among infected hosts within a network
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\ncat.exe'
- SELECTION_3:
- CommandLine: '* -lvp *'
- SELECTION_4:
- CommandLine: '* -l --proxy-type http *'
- SELECTION_5:
- CommandLine: '* --exec cmd.exe *'
- SELECTION_6:
- CommandLine: '* -vnl --exec *'
- condition: (SELECTION_1 and ((SELECTION_2) or (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6)))
-falsepositives:
-- Legitimate ncat use
-id: e31033fc-33f0-4020-9a16-faf9b31cbf08
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://nmap.org/ncat/
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
-status: experimental
-tags:
-- attack.command_and_control
-- attack.t1095
-yml_filename: sysmon_netcat_execution.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_new_application_appcompat.yml b/rules/alert-rules/sigma/sysmon_new_application_appcompat.yml
deleted file mode 100644
index 8e44edaf..00000000
--- a/rules/alert-rules/sigma/sysmon_new_application_appcompat.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: New Application in AppCompat
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A General detection for a new application in AppCompat. This indicates
- an application executing for the first time on an endpoint.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\AppCompatFlags\Compatibility Assistant\Store\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- This rule is to explore new applications on an endpoint. False positives depends
- on the organization.
-- Newly setup system.
-- Legitimate installation of new application.
-id: 60936b49-fca0-4f32-993d-7415edcf9a5d
-level: informational
-logsource:
- category: registry_event
- product: windows
-references:
-- https://github.com/OTRF/detection-hackathon-apt29/issues/1
-- https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html
-status: experimental
-tags:
-- attack.execution
-- attack.t1204.002
-yml_filename: sysmon_new_application_appcompat.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/alert-rules/sigma/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
deleted file mode 100644
index 331947ea..00000000
--- a/rules/alert-rules/sigma/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: New DLL Added to AppCertDlls Registry Key
-author: Ilyas Ochkov, oscd.community
-date: 2019/10/25
-description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value
- in the Registry key can be abused to obtain persistence and privilege escalation
- by causing a malicious DLL to be loaded and run in the context of separate processes
- on the computer.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
- SELECTION_5:
- NewName: HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
-falsepositives:
-- Unknown
-fields:
-- EventID
-- Image
-- TargetObject
-- NewName
-id: 6aa1d992-5925-4e9f-a49b-845e51d1de01
-level: medium
-logsource:
- category: registry_event
- product: windows
-modified: 2020/09/06
-references:
-- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
-- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
-status: experimental
-tags:
-- attack.persistence
-- attack.t1182
-- attack.t1546.009
-yml_filename: sysmon_new_dll_added_to_appcertdlls_registry_key.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/alert-rules/sigma/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
deleted file mode 100644
index bfd38d2e..00000000
--- a/rules/alert-rules/sigma/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-title: New DLL Added to AppInit_DLLs Registry Key
-author: Ilyas Ochkov, oscd.community, Tim Shelton
-date: 2019/10/25
-description: DLLs that are specified in the AppInit_DLLs value in the Registry key
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll
- into every process that loads user32.dll
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- SELECTION_5:
- TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- SELECTION_6:
- NewName: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- SELECTION_7:
- NewName: '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- SELECTION_8:
- Details: (Empty)
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 or SELECTION_5)
- or (SELECTION_6 or SELECTION_7)) and not (SELECTION_8))
-falsepositives:
-- Unknown
-fields:
-- EventID
-- Image
-- TargetObject
-- NewName
-id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
-level: medium
-logsource:
- category: registry_event
- product: windows
-modified: 2021/11/11
-references:
-- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
-status: experimental
-tags:
-- attack.persistence
-- attack.t1103
-- attack.t1546.010
-yml_filename: sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_notepad_network_connection.yml b/rules/alert-rules/sigma/sysmon_notepad_network_connection.yml
deleted file mode 100644
index 0f4c3d9b..00000000
--- a/rules/alert-rules/sigma/sysmon_notepad_network_connection.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Notepad Making Network Connection
-author: EagleEye Team
-date: 2020/05/14
-description: Detects suspicious network connection by Notepad
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_2:
- Image: '*\notepad.exe'
- SELECTION_3:
- DestinationPort: '9100'
- condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
-falsepositives:
-- None observed so far
-id: e81528db-fc02-45e8-8e98-4e84aba1f10b
-level: high
-logsource:
- category: network_connection
- product: windows
-modified: 2020/08/24
-references:
-- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
-- https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
-status: experimental
-tags:
-- attack.command_and_control
-- attack.execution
-- attack.defense_evasion
-- attack.t1055
-yml_filename: sysmon_notepad_network_connection.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_office_persistence.yml b/rules/alert-rules/sigma/sysmon_office_persistence.yml
deleted file mode 100644
index 3b26b38d..00000000
--- a/rules/alert-rules/sigma/sysmon_office_persistence.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Microsoft Office Add-In Loading
-author: NVISO
-date: 2020/05/11
-description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll
- are simply .dll fit for Word or Excel).
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\Microsoft\Word\Startup\\*'
- SELECTION_3:
- TargetFilename: '*.wll'
- SELECTION_4:
- TargetFilename: '*\Microsoft\Excel\Startup\\*'
- SELECTION_5:
- TargetFilename: '*.xll'
- SELECTION_6:
- TargetFilename: '*\Microsoft\Addins\\*'
- SELECTION_7:
- TargetFilename: '*.xlam'
- SELECTION_8:
- TargetFilename: '*.xla'
- condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
- SELECTION_5)) or (SELECTION_6 and (SELECTION_7 or SELECTION_8))))
-falsepositives:
-- Legitimate add-ins
-id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2020/08/23
-references:
-- Internal Research
-status: experimental
-tags:
-- attack.persistence
-- attack.t1137
-- attack.t1137.006
-yml_filename: sysmon_office_persistence.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_office_test_regadd.yml b/rules/alert-rules/sigma/sysmon_office_test_regadd.yml
deleted file mode 100644
index 7d1f4e2a..00000000
--- a/rules/alert-rules/sigma/sysmon_office_test_regadd.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Office Application Startup - Office Test
-author: omkar72
-date: 2020/10/25
-description: Detects the addition of office test registry that allows a user to specify
- an arbitrary DLL that will be executed every time an Office application is started
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKCU\Software\Microsoft\Office test\Special\Perf
- SELECTION_5:
- TargetObject: HKLM\Software\Microsoft\Office test\Special\Perf
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
-falsepositives:
-- Unlikely
-id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
-level: medium
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/13
-references:
-- https://attack.mitre.org/techniques/T1137/002/
-status: experimental
-tags:
-- attack.persistence
-- attack.t1137.002
-yml_filename: sysmon_office_test_regadd.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_office_vsto_persistence.yml b/rules/alert-rules/sigma/sysmon_office_vsto_persistence.yml
deleted file mode 100644
index 423aacd6..00000000
--- a/rules/alert-rules/sigma/sysmon_office_vsto_persistence.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: Stealthy VSTO Persistence
-author: Bhabesh Raj
-date: 2021/01/10
-description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins
- in Office applications.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- Image: '*\msiexec.exe'
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: SetValue
- SELECTION_5:
- TargetObject: '*\Software\Microsoft\Office\Outlook\Addins\\*'
- SELECTION_6:
- TargetObject: '*\Software\Microsoft\Office\Word\Addins\\*'
- SELECTION_7:
- TargetObject: '*\Software\Microsoft\Office\Excel\Addins\\*'
- SELECTION_8:
- TargetObject: '*\Software\Microsoft\Office\Powerpoint\Addins\\*'
- SELECTION_9:
- TargetObject: '*\Software\Microsoft\VSTO\Security\Inclusion\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and (SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9)) and not (SELECTION_10))
-falsepositives:
-- Unknown
-id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/07/27
-references:
-- https://twitter.com/_vivami/status/1347925307643355138
-- https://vanmieghem.io/stealth-outlook-persistence/
-status: experimental
-tags:
-- attack.t1137.006
-- attack.persistence
-yml_filename: sysmon_office_vsto_persistence.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_outlook_newform.yml b/rules/alert-rules/sigma/sysmon_outlook_newform.yml
deleted file mode 100644
index 5c7100ab..00000000
--- a/rules/alert-rules/sigma/sysmon_outlook_newform.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Outlook Form Installation
-author: Tobias Michalski
-date: 2021/06/10
-description: Detects the creation of new Outlook form which can contain malicious
- code
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- Image: \outlook.exe
- SELECTION_3:
- TargetFilename: '*\appdata\local\microsoft\FORMS\\*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- unknown
-fields:
-- TargetFilename
-id: c3edc6a5-d9d4-48d8-930e-aab518390917
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
-status: experimental
-tags:
-- attack.persistence
-- attack.t1137.003
-yml_filename: sysmon_outlook_newform.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_password_dumper_lsass.yml b/rules/alert-rules/sigma/sysmon_password_dumper_lsass.yml
deleted file mode 100644
index 9dbe207c..00000000
--- a/rules/alert-rules/sigma/sysmon_password_dumper_lsass.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Password Dumper Remote Thread in LSASS
-author: Thomas Patzke
-date: 2017/02/19
-description: Detects password dumper activity by monitoring remote thread creation
- EventID 8 in combination with the lsass.exe process as TargetImage. The process
- in field Process is the malicious program. A single execution can lead to hundreds
- of events.
-detection:
- SELECTION_1:
- EventID: 8
- SELECTION_2:
- TargetImage: '*\lsass.exe'
- SELECTION_3:
- StartModule: ''
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Antivirus products
-id: f239b326-2f41-4d6b-9dfa-c846a60ef505
-level: high
-logsource:
- category: create_remote_thread
- product: windows
-modified: 2021/06/21
-references:
-- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
-status: stable
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.s0005
-- attack.t1003.001
-yml_filename: sysmon_password_dumper_lsass.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
-
diff --git a/rules/alert-rules/sigma/sysmon_pcre_net_load.yml b/rules/alert-rules/sigma/sysmon_pcre_net_load.yml
deleted file mode 100644
index c5ba4c47..00000000
--- a/rules/alert-rules/sigma/sysmon_pcre_net_load.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: PCRE.NET Package Image Load
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/10/29
-description: Detects processes loading modules related to PCRE.NET package
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- ImageLoaded: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Unknown
-id: 84b0a8f3-680b-4096-a45b-e9a89221727c
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2021/08/14
-references:
-- https://twitter.com/rbmaslen/status/1321859647091970051
-- https://twitter.com/tifkin_/status/1321916444557365248
-status: experimental
-tags:
-- attack.execution
-- attack.t1059
-yml_filename: sysmon_pcre_net_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_pcre_net_temp_file.yml b/rules/alert-rules/sigma/sysmon_pcre_net_temp_file.yml
deleted file mode 100644
index 0d393136..00000000
--- a/rules/alert-rules/sigma/sysmon_pcre_net_temp_file.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: PCRE.NET Package Temp Files
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/10/29
-description: Detects processes creating temp files related to PCRE.NET package
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Unknown
-id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2021/08/14
-references:
-- https://twitter.com/rbmaslen/status/1321859647091970051
-- https://twitter.com/tifkin_/status/1321916444557365248
-status: experimental
-tags:
-- attack.execution
-- attack.t1059
-yml_filename: sysmon_pcre_net_temp_file.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_powershell_as_service.yml b/rules/alert-rules/sigma/sysmon_powershell_as_service.yml
deleted file mode 100644
index 43329713..00000000
--- a/rules/alert-rules/sigma/sysmon_powershell_as_service.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: PowerShell as a Service in Registry
-author: oscd.community, Natalia Shornikova
-date: 2020/10/06
-description: Detects that a powershell code is written to the registry as a service.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Services\\*'
- SELECTION_5:
- TargetObject: '*\ImagePath'
- SELECTION_6:
- Details: '*powershell*'
- SELECTION_7:
- Details: '*pwsh*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and (SELECTION_6 or SELECTION_7))
-falsepositives:
-- Unknown
-id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/05/21
-references:
-- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
-status: experimental
-tags:
-- attack.execution
-- attack.t1569.002
-yml_filename: sysmon_powershell_as_service.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_powershell_code_injection.yml b/rules/alert-rules/sigma/sysmon_powershell_code_injection.yml
deleted file mode 100644
index 2c5b221b..00000000
--- a/rules/alert-rules/sigma/sysmon_powershell_code_injection.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Accessing WinAPI in PowerShell. Code Injection.
-author: Nikita Nazarov, oscd.community
-date: 2020/10/06
-description: Detecting Code injection with PowerShell in another process
-detection:
- SELECTION_1:
- EventID: 8
- SELECTION_2:
- SourceImage: '*\powershell.exe'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Unknown
-id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
-level: high
-logsource:
- category: create_remote_thread
- definition: Note that you have to configure logging for CreateRemoteThread in
- Symson config
- product: windows
-references:
-- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-yml_filename: sysmon_powershell_code_injection.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
-
diff --git a/rules/alert-rules/sigma/sysmon_powershell_execution_pipe.yml b/rules/alert-rules/sigma/sysmon_powershell_execution_pipe.yml
deleted file mode 100644
index b0e3b5c0..00000000
--- a/rules/alert-rules/sigma/sysmon_powershell_execution_pipe.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: T1086 PowerShell Execution
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2019/09/12
-description: Detects execution of PowerShell
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_2:
- EventID: 18
- SELECTION_3:
- PipeName: \PSHost*
- condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
-falsepositives:
-- Unknown
-id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
-level: informational
-logsource:
- category: pipe_created
- product: windows
-references:
-- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-yml_filename: sysmon_powershell_execution_pipe.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/sysmon_powershell_exploit_scripts.yml b/rules/alert-rules/sigma/sysmon_powershell_exploit_scripts.yml
deleted file mode 100644
index 9b45b94d..00000000
--- a/rules/alert-rules/sigma/sysmon_powershell_exploit_scripts.yml
+++ /dev/null
@@ -1,234 +0,0 @@
-title: Malicious PowerShell Commandlet Names
-author: Markus Neis
-date: 2018/04/07
-description: Detects the creation of known powershell scripts for exploitation
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_10:
- TargetFilename: '*\Invoke-TokenManipulation.ps1'
- SELECTION_11:
- TargetFilename: '*\Out-Minidump.ps1'
- SELECTION_12:
- TargetFilename: '*\VolumeShadowCopyTools.ps1'
- SELECTION_13:
- TargetFilename: '*\Invoke-ReflectivePEInjection.ps1'
- SELECTION_14:
- TargetFilename: '*\Get-TimedScreenshot.ps1'
- SELECTION_15:
- TargetFilename: '*\Invoke-UserHunter.ps1'
- SELECTION_16:
- TargetFilename: '*\Find-GPOLocation.ps1'
- SELECTION_17:
- TargetFilename: '*\Invoke-ACLScanner.ps1'
- SELECTION_18:
- TargetFilename: '*\Invoke-DowngradeAccount.ps1'
- SELECTION_19:
- TargetFilename: '*\Get-ServiceUnquoted.ps1'
- SELECTION_2:
- TargetFilename: '*\Invoke-DllInjection.ps1'
- SELECTION_20:
- TargetFilename: '*\Get-ServiceFilePermission.ps1'
- SELECTION_21:
- TargetFilename: '*\Get-ServicePermission.ps1'
- SELECTION_22:
- TargetFilename: '*\Invoke-ServiceAbuse.ps1'
- SELECTION_23:
- TargetFilename: '*\Install-ServiceBinary.ps1'
- SELECTION_24:
- TargetFilename: '*\Get-RegAutoLogon.ps1'
- SELECTION_25:
- TargetFilename: '*\Get-VulnAutoRun.ps1'
- SELECTION_26:
- TargetFilename: '*\Get-VulnSchTask.ps1'
- SELECTION_27:
- TargetFilename: '*\Get-UnattendedInstallFile.ps1'
- SELECTION_28:
- TargetFilename: '*\Get-WebConfig.ps1'
- SELECTION_29:
- TargetFilename: '*\Get-ApplicationHost.ps1'
- SELECTION_3:
- TargetFilename: '*\Invoke-WmiCommand.ps1'
- SELECTION_30:
- TargetFilename: '*\Get-RegAlwaysInstallElevated.ps1'
- SELECTION_31:
- TargetFilename: '*\Get-Unconstrained.ps1'
- SELECTION_32:
- TargetFilename: '*\Add-RegBackdoor.ps1'
- SELECTION_33:
- TargetFilename: '*\Add-ScrnSaveBackdoor.ps1'
- SELECTION_34:
- TargetFilename: '*\Gupt-Backdoor.ps1'
- SELECTION_35:
- TargetFilename: '*\Invoke-ADSBackdoor.ps1'
- SELECTION_36:
- TargetFilename: '*\Enabled-DuplicateToken.ps1'
- SELECTION_37:
- TargetFilename: '*\Invoke-PsUaCme.ps1'
- SELECTION_38:
- TargetFilename: '*\Remove-Update.ps1'
- SELECTION_39:
- TargetFilename: '*\Check-VM.ps1'
- SELECTION_4:
- TargetFilename: '*\Get-GPPPassword.ps1'
- SELECTION_40:
- TargetFilename: '*\Get-LSASecret.ps1'
- SELECTION_41:
- TargetFilename: '*\Get-PassHashes.ps1'
- SELECTION_42:
- TargetFilename: '*\Show-TargetScreen.ps1'
- SELECTION_43:
- TargetFilename: '*\Port-Scan.ps1'
- SELECTION_44:
- TargetFilename: '*\Invoke-PoshRatHttp.ps1'
- SELECTION_45:
- TargetFilename: '*\Invoke-PowerShellTCP.ps1'
- SELECTION_46:
- TargetFilename: '*\Invoke-PowerShellWMI.ps1'
- SELECTION_47:
- TargetFilename: '*\Add-Exfiltration.ps1'
- SELECTION_48:
- TargetFilename: '*\Add-Persistence.ps1'
- SELECTION_49:
- TargetFilename: '*\Do-Exfiltration.ps1'
- SELECTION_5:
- TargetFilename: '*\Get-Keystrokes.ps1'
- SELECTION_50:
- TargetFilename: '*\Start-CaptureServer.ps1'
- SELECTION_51:
- TargetFilename: '*\Invoke-ShellCode.ps1'
- SELECTION_52:
- TargetFilename: '*\Get-ChromeDump.ps1'
- SELECTION_53:
- TargetFilename: '*\Get-ClipboardContents.ps1'
- SELECTION_54:
- TargetFilename: '*\Get-FoxDump.ps1'
- SELECTION_55:
- TargetFilename: '*\Get-IndexedItem.ps1'
- SELECTION_56:
- TargetFilename: '*\Get-Screenshot.ps1'
- SELECTION_57:
- TargetFilename: '*\Invoke-Inveigh.ps1'
- SELECTION_58:
- TargetFilename: '*\Invoke-NetRipper.ps1'
- SELECTION_59:
- TargetFilename: '*\Invoke-EgressCheck.ps1'
- SELECTION_6:
- TargetFilename: '*\Get-VaultCredential.ps1'
- SELECTION_60:
- TargetFilename: '*\Invoke-PostExfil.ps1'
- SELECTION_61:
- TargetFilename: '*\Invoke-PSInject.ps1'
- SELECTION_62:
- TargetFilename: '*\Invoke-RunAs.ps1'
- SELECTION_63:
- TargetFilename: '*\MailRaider.ps1'
- SELECTION_64:
- TargetFilename: '*\New-HoneyHash.ps1'
- SELECTION_65:
- TargetFilename: '*\Set-MacAttribute.ps1'
- SELECTION_66:
- TargetFilename: '*\Invoke-DCSync.ps1'
- SELECTION_67:
- TargetFilename: '*\Invoke-PowerDump.ps1'
- SELECTION_68:
- TargetFilename: '*\Exploit-Jboss.ps1'
- SELECTION_69:
- TargetFilename: '*\Invoke-ThunderStruck.ps1'
- SELECTION_7:
- TargetFilename: '*\Invoke-CredentialInjection.ps1'
- SELECTION_70:
- TargetFilename: '*\Invoke-VoiceTroll.ps1'
- SELECTION_71:
- TargetFilename: '*\Set-Wallpaper.ps1'
- SELECTION_72:
- TargetFilename: '*\Invoke-InveighRelay.ps1'
- SELECTION_73:
- TargetFilename: '*\Invoke-PsExec.ps1'
- SELECTION_74:
- TargetFilename: '*\Invoke-SSHCommand.ps1'
- SELECTION_75:
- TargetFilename: '*\Get-SecurityPackages.ps1'
- SELECTION_76:
- TargetFilename: '*\Install-SSP.ps1'
- SELECTION_77:
- TargetFilename: '*\Invoke-BackdoorLNK.ps1'
- SELECTION_78:
- TargetFilename: '*\PowerBreach.ps1'
- SELECTION_79:
- TargetFilename: '*\Get-SiteListPassword.ps1'
- SELECTION_8:
- TargetFilename: '*\Invoke-Mimikatz.ps1'
- SELECTION_80:
- TargetFilename: '*\Get-System.ps1'
- SELECTION_81:
- TargetFilename: '*\Invoke-BypassUAC.ps1'
- SELECTION_82:
- TargetFilename: '*\Invoke-Tater.ps1'
- SELECTION_83:
- TargetFilename: '*\Invoke-WScriptBypassUAC.ps1'
- SELECTION_84:
- TargetFilename: '*\PowerUp.ps1'
- SELECTION_85:
- TargetFilename: '*\PowerView.ps1'
- SELECTION_86:
- TargetFilename: '*\Get-RickAstley.ps1'
- SELECTION_87:
- TargetFilename: '*\Find-Fruit.ps1'
- SELECTION_88:
- TargetFilename: '*\HTTP-Login.ps1'
- SELECTION_89:
- TargetFilename: '*\Find-TrustedDocuments.ps1'
- SELECTION_9:
- TargetFilename: '*\Invoke-NinjaCopy.ps1'
- SELECTION_90:
- TargetFilename: '*\Invoke-Paranoia.ps1'
- SELECTION_91:
- TargetFilename: '*\Invoke-WinEnum.ps1'
- SELECTION_92:
- TargetFilename: '*\Invoke-ARPScan.ps1'
- SELECTION_93:
- TargetFilename: '*\Invoke-PortScan.ps1'
- SELECTION_94:
- TargetFilename: '*\Invoke-ReverseDNSLookup.ps1'
- SELECTION_95:
- TargetFilename: '*\Invoke-SMBScanner.ps1'
- SELECTION_96:
- TargetFilename: '*\Invoke-Mimikittenz.ps1'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
- or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
- or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
- or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
- or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
- or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
- or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55
- or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60
- or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65
- or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70
- or SELECTION_71 or SELECTION_72 or SELECTION_73 or SELECTION_74 or SELECTION_75
- or SELECTION_76 or SELECTION_77 or SELECTION_78 or SELECTION_79 or SELECTION_80
- or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84 or SELECTION_85
- or SELECTION_86 or SELECTION_87 or SELECTION_88 or SELECTION_89 or SELECTION_90
- or SELECTION_91 or SELECTION_92 or SELECTION_93 or SELECTION_94 or SELECTION_95
- or SELECTION_96))
-falsepositives:
-- Penetration Tests
-id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
-status: experimental
-tags:
-- attack.execution
-- attack.t1086
-- attack.t1059.001
-yml_filename: sysmon_powershell_exploit_scripts.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_powershell_network_connection.yml b/rules/alert-rules/sigma/sysmon_powershell_network_connection.yml
deleted file mode 100644
index be69ea27..00000000
--- a/rules/alert-rules/sigma/sysmon_powershell_network_connection.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-title: PowerShell Network Connections
-author: Florian Roth
-date: 2017/03/13
-description: Detects a Powershell process that opens network connections - check for
- suspicious target ports and target systems - adjust to your environment (e.g.
- extend filters with company's ip range')
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_10:
- DestinationIp: 172.19.*
- SELECTION_11:
- DestinationIp: 172.20.*
- SELECTION_12:
- DestinationIp: 172.21.*
- SELECTION_13:
- DestinationIp: 172.22.*
- SELECTION_14:
- DestinationIp: 172.23.*
- SELECTION_15:
- DestinationIp: 172.24.*
- SELECTION_16:
- DestinationIp: 172.25.*
- SELECTION_17:
- DestinationIp: 172.26.*
- SELECTION_18:
- DestinationIp: 172.27.*
- SELECTION_19:
- DestinationIp: 172.28.*
- SELECTION_2:
- Image: '*\powershell.exe'
- SELECTION_20:
- DestinationIp: 172.29.*
- SELECTION_21:
- DestinationIp: 172.30.*
- SELECTION_22:
- DestinationIp: 172.31.*
- SELECTION_23:
- DestinationIp: 127.0.0.1*
- SELECTION_24:
- DestinationIsIpv6: 'false'
- SELECTION_25:
- User: NT AUTHORITY\SYSTEM
- SELECTION_26:
- User: '*AUT*'
- SELECTION_27:
- User: '* NT*'
- SELECTION_3:
- Initiated: 'true'
- SELECTION_4:
- DestinationIsIpv6: 'false'
- SELECTION_5:
- DestinationIp: 10.*
- SELECTION_6:
- DestinationIp: 192.168.*
- SELECTION_7:
- DestinationIp: 172.16.*
- SELECTION_8:
- DestinationIp: 172.17.*
- SELECTION_9:
- DestinationIp: 172.18.*
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not
- ((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
- or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
- or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
- or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23) and SELECTION_24
- and SELECTION_25 and SELECTION_26 and SELECTION_27))
-falsepositives:
-- Administrative scripts
-id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
-level: low
-logsource:
- category: network_connection
- product: windows
-modified: 2021/06/14
-references:
-- https://www.youtube.com/watch?v=DLtJTxMWZ2o
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: sysmon_powershell_network_connection.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_powershell_startup_shortcuts.yml b/rules/alert-rules/sigma/sysmon_powershell_startup_shortcuts.yml
deleted file mode 100644
index 8f531972..00000000
--- a/rules/alert-rules/sigma/sysmon_powershell_startup_shortcuts.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: PowerShell Writing Startup Shortcuts
-author: Christopher Peacock '@securepeacock', SCYTHE
-date: 2021/10/24
-description: Attempts to detect PowerShell writing startup shortcuts. This procedure
- was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe
- adversaries using PowerShell to write malicious .lnk files into the startup directory
- to establish persistence. Accordingly, this detection opportunity is likely to
- identify persistence mechanisms in multiple threats. In the context of Yellow
- Cockatoo, this persistence mechanism eventually launches the command-line script
- that leads to the installation of a malicious DLL"
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- Image: '*\powershell.exe'
- SELECTION_3:
- TargetFilename: '*\start menu\programs\startup\\*'
- SELECTION_4:
- TargetFilename: '*.lnk'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-- Depending on your environment accepted applications may leverage this at times.
- It is recomended to search for anomolies inidicative of malware.
-id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://redcanary.com/blog/intelligence-insights-october-2021/
-- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
-status: experimental
-tags:
-- attack.registry_run_keys_/_startup_folder
-- attack.t1547.001
-yml_filename: sysmon_powershell_startup_shortcuts.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_proxy_execution_wuauclt.yml b/rules/alert-rules/sigma/sysmon_proxy_execution_wuauclt.yml
deleted file mode 100644
index aab4b62e..00000000
--- a/rules/alert-rules/sigma/sysmon_proxy_execution_wuauclt.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Proxy Execution via Wuauclt
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth
-date: 2020/10/12
-description: Detects the use of the Windows Update Client binary (wuauclt.exe) to
- proxy execute code.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*wuauclt*'
- SELECTION_3:
- OriginalFileName: wuauclt.exe
- SELECTION_4:
- CommandLine: '*UpdateDeploymentProvider*'
- SELECTION_5:
- CommandLine: '*.dll*'
- SELECTION_6:
- CommandLine: '*RunHandlerComServer*'
- SELECTION_7:
- CommandLine: '* /UpdateDeploymentProvider UpdateDeploymentProvider.dll *'
- SELECTION_8:
- CommandLine: '* wuaueng.dll *'
- condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) and (SELECTION_4 and
- SELECTION_5 and SELECTION_6)) and not ((SELECTION_7 or SELECTION_8)))
-falsepositives:
-- Unknown
-id: af77cf95-c469-471c-b6a0-946c685c4798
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/05/10
-references:
-- https://dtm.uk/wuauclt/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: sysmon_proxy_execution_wuauclt.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_psexec_pipes_artifacts.yml b/rules/alert-rules/sigma/sysmon_psexec_pipes_artifacts.yml
deleted file mode 100644
index 0fd870f4..00000000
--- a/rules/alert-rules/sigma/sysmon_psexec_pipes_artifacts.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: PsExec Pipes Artifacts
-author: Nikita Nazarov, oscd.community
-date: 2020/05/10
-description: Detecting use PsExec via Pipe Creation/Access to pipes
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_2:
- EventID: 18
- SELECTION_3:
- PipeName: psexec*
- SELECTION_4:
- PipeName: paexec*
- SELECTION_5:
- PipeName: remcom*
- SELECTION_6:
- PipeName: csexec*
- condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6))
-falsepositives:
-- Legitimate Administrator activity
-id: 9e77ed63-2ecf-4c7b-b09d-640834882028
-level: medium
-logsource:
- category: pipe_created
- definition: Note that you have to configure logging for Named Pipe Events in Sysmon
- config (Event ID 17 and Event ID 18). The basic configuration is in popular
- sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
- it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
- https://github.com/olafhartong/sysmon-modular. How to test detection? You
- can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- product: windows
-references:
-- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
-status: experimental
-tags:
-- attack.lateral_movement
-- attack.t1021.002
-yml_filename: sysmon_psexec_pipes_artifacts.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/sysmon_pypykatz_cred_dump_lsass_access.yml b/rules/alert-rules/sigma/sysmon_pypykatz_cred_dump_lsass_access.yml
deleted file mode 100644
index 5c9f3f51..00000000
--- a/rules/alert-rules/sigma/sysmon_pypykatz_cred_dump_lsass_access.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Credential Dumping by Pypykatz
-author: Bhabesh Raj
-date: 2021/08/03
-description: Detects LSASS process access by pypykatz for credential dumping.
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- TargetImage: '*\lsass.exe'
- SELECTION_3:
- CallTrace: '*C:\Windows\SYSTEM32\ntdll.dll+*'
- SELECTION_4:
- CallTrace: '*C:\Windows\System32\KERNELBASE.dll+*'
- SELECTION_5:
- CallTrace: '*libffi-7.dll*'
- SELECTION_6:
- CallTrace: '*_ctypes.pyd+*'
- SELECTION_7:
- CallTrace: '*python3*.dll+*'
- SELECTION_8:
- GrantedAccess: '0x1FFFFF'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
- and SELECTION_6 and SELECTION_7 and SELECTION_8)
-falsepositives:
-- Unknown
-id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
-level: critical
-logsource:
- category: process_access
- product: windows
-references:
-- https://github.com/skelsec/pypykatz
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003.001
-yml_filename: sysmon_pypykatz_cred_dump_lsass_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_quarkspw_filedump.yml b/rules/alert-rules/sigma/sysmon_quarkspw_filedump.yml
deleted file mode 100644
index 8221a4e4..00000000
--- a/rules/alert-rules/sigma/sysmon_quarkspw_filedump.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: QuarksPwDump Dump File
-author: Florian Roth
-date: 2018/02/10
-description: Detects a dump file written by QuarksPwDump password dumper
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\AppData\Local\Temp\SAM-*'
- SELECTION_3:
- TargetFilename: '*.dmp*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 847def9e-924d-4e90-b7c4-5f581395a2b4
-level: critical
-logsource:
- category: file_event
- product: windows
-modified: 2020/08/23
-references:
-- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.002
-yml_filename: sysmon_quarkspw_filedump.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/alert-rules/sigma/sysmon_raw_disk_access_using_illegitimate_tools.yml
deleted file mode 100644
index 0d91972d..00000000
--- a/rules/alert-rules/sigma/sysmon_raw_disk_access_using_illegitimate_tools.yml
+++ /dev/null
@@ -1,65 +0,0 @@
-title: Raw Disk Access Using Illegitimate Tools
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/10/22
-description: Raw disk access using illegitimate tools, possible defence evasion
-detection:
- SELECTION_1:
- EventID: 9
- SELECTION_10:
- Image: '*\compattelrunner.exe'
- SELECTION_11:
- Image: '*\wininit.exe'
- SELECTION_12:
- Image: '*\autochk.exe'
- SELECTION_13:
- Image: '*\taskhost.exe'
- SELECTION_14:
- Image: '*\dfsrs.exe'
- SELECTION_15:
- Image: '*\vds.exe'
- SELECTION_16:
- Image: '*\lsass.exe'
- SELECTION_17:
- Image: '*\svchost.exe'
- SELECTION_2:
- Device: '*floppy*'
- SELECTION_3:
- Image: '*\wmiprvse.exe'
- SELECTION_4:
- Image: '*\sdiagnhost.exe'
- SELECTION_5:
- Image: '*\searchindexer.exe'
- SELECTION_6:
- Image: '*\csrss.exe'
- SELECTION_7:
- Image: '*\defrag.exe'
- SELECTION_8:
- Image: '*\smss.exe'
- SELECTION_9:
- Image: '*\vssvc.exe'
- condition: (SELECTION_1 and not (SELECTION_2) and not ((SELECTION_3 or SELECTION_4
- or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
- or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
- or SELECTION_15 or SELECTION_16 or SELECTION_17)))
-falsepositives:
-- Legitimate Administrator using tool for raw access or ongoing forensic investigation
-fields:
-- ComputerName
-- Image
-- ProcessID
-- Device
-id: db809f10-56ce-4420-8c86-d6a7d793c79c
-level: medium
-logsource:
- category: raw_access_thread
- product: windows
-modified: 2021/11/09
-references:
-- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1006
-yml_filename: sysmon_raw_disk_access_using_illegitimate_tools.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/raw_access_thread
-
diff --git a/rules/alert-rules/sigma/sysmon_rclone_execution.yml b/rules/alert-rules/sigma/sysmon_rclone_execution.yml
deleted file mode 100644
index a600f505..00000000
--- a/rules/alert-rules/sigma/sysmon_rclone_execution.yml
+++ /dev/null
@@ -1,61 +0,0 @@
-title: RClone Execution
-author: Bhabesh Raj, Sittikorn S
-date: 2021/05/10
-description: Detects execution of RClone utility for exfiltration as used by various
- ransomwares strains like REvil, Conti, FiveHands, etc
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*--progress*'
- SELECTION_11:
- CommandLine: '*--ignore-existing*'
- SELECTION_12:
- CommandLine: '*--auto-confirm*'
- SELECTION_13:
- CommandLine: '*--transfers*'
- SELECTION_14:
- CommandLine: '*--multi-thread-streams*'
- SELECTION_2:
- Description: Rsync for cloud storage
- SELECTION_3:
- CommandLine: '*--config *'
- SELECTION_4:
- CommandLine: '*--no-check-certificate *'
- SELECTION_5:
- CommandLine: '* copy *'
- SELECTION_6:
- Image: '*\rclone.exe'
- SELECTION_7:
- CommandLine: '*mega*'
- SELECTION_8:
- CommandLine: '*pcloud*'
- SELECTION_9:
- CommandLine: '*ftp*'
- condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5)
- or ((SELECTION_6) and (SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14))))
-falsepositives:
-- Legitimate RClone use
-fields:
-- CommandLine
-- ParentCommandLine
-- Details
-id: a0d63692-a531-4912-ad39-4393325b2a9c
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/06/29
-references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
-- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
-- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
-- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
-status: deprecated
-tags:
-- attack.exfiltration
-- attack.t1567.002
-yml_filename: sysmon_rclone_execution.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
-
diff --git a/rules/alert-rules/sigma/sysmon_rdp_registry_modification.yml b/rules/alert-rules/sigma/sysmon_rdp_registry_modification.yml
deleted file mode 100644
index 175daa6b..00000000
--- a/rules/alert-rules/sigma/sysmon_rdp_registry_modification.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: RDP Registry Modification
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/09/12
-description: Detects potential malicious modification of the property value of fDenyTSConnections
- and UserAuthentication to enable remote desktop connections.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication'
- SELECTION_5:
- TargetObject: '*\CurrentControlSet\Control\Terminal Server\fDenyTSConnections'
- SELECTION_6:
- Details: DWORD (0x00000000)
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
- and SELECTION_6)
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- Image
-- EventType
-- TargetObject
-id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2019/11/10
-references:
-- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1112
-yml_filename: sysmon_rdp_registry_modification.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_rdp_reverse_tunnel.yml b/rules/alert-rules/sigma/sysmon_rdp_reverse_tunnel.yml
deleted file mode 100644
index 271de8fc..00000000
--- a/rules/alert-rules/sigma/sysmon_rdp_reverse_tunnel.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: RDP Over Reverse SSH Tunnel
-author: Samir Bousseaden
-date: 2019/02/16
-description: Detects svchost hosting RDP termsvcs communicating with the loopback
- address and on TCP port 3389
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_2:
- Image: '*\svchost.exe'
- SELECTION_3:
- Initiated: 'true'
- SELECTION_4:
- SourcePort: 3389
- SELECTION_5:
- DestinationIp: 127.*
- SELECTION_6:
- DestinationIp: ::1
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and
- ((SELECTION_5) or (SELECTION_6)))
-falsepositives:
-- unknown
-id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
-level: high
-logsource:
- category: network_connection
- product: windows
-modified: 2021/05/11
-references:
-- https://twitter.com/SBousseaden/status/1096148422984384514
-status: experimental
-tags:
-- attack.command_and_control
-- attack.t1572
-- attack.lateral_movement
-- attack.t1021.001
-- attack.t1076
-- car.2013-07-002
-yml_filename: sysmon_rdp_reverse_tunnel.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_rdp_settings_hijack.yml b/rules/alert-rules/sigma/sysmon_rdp_settings_hijack.yml
deleted file mode 100644
index fb62aefc..00000000
--- a/rules/alert-rules/sigma/sysmon_rdp_settings_hijack.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: RDP Sensitive Settings Changed
-author: Samir Bousseaden
-date: 2019/04/03
-description: Detects changes to RDP terminal service sensitive settings
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\services\TermService\Parameters\ServiceDll*'
- SELECTION_5:
- TargetObject: '*\Control\Terminal Server\fSingleSessionPerUser*'
- SELECTION_6:
- TargetObject: '*\Control\Terminal Server\fDenyTSConnections*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
- or SELECTION_6))
-falsepositives:
-- unknown
-id: 171b67e1-74b4-460e-8d55-b331f3e32d67
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2020/09/06
-references:
-- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
-tags:
-- attack.defense_evasion
-- attack.t1112
-yml_filename: sysmon_rdp_settings_hijack.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_redmimicry_winnti_filedrop.yml b/rules/alert-rules/sigma/sysmon_redmimicry_winnti_filedrop.yml
deleted file mode 100644
index bd058c2a..00000000
--- a/rules/alert-rules/sigma/sysmon_redmimicry_winnti_filedrop.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: RedMimicry Winnti Playbook Dropped File
-author: Alexander Rausch
-date: 2020/06/24
-description: Detects actions caused by the RedMimicry Winnti playbook
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*gthread-3.6.dll*'
- SELECTION_3:
- TargetFilename: '*sigcmm-2.4.dll*'
- SELECTION_4:
- TargetFilename: '*\Windows\Temp\tmp.bat*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
-falsepositives:
-- Unknown
-id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://redmimicry.com
-tags:
-- attack.defense_evasion
-- attack.t1027
-yml_filename: sysmon_redmimicry_winnti_filedrop.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_redmimicry_winnti_reg.yml b/rules/alert-rules/sigma/sysmon_redmimicry_winnti_reg.yml
deleted file mode 100644
index 48b6dbf7..00000000
--- a/rules/alert-rules/sigma/sysmon_redmimicry_winnti_reg.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: RedMimicry Winnti Playbook Registry Manipulation
-author: Alexander Rausch
-date: 2020/06/24
-description: Detects actions caused by the RedMimicry Winnti playbook
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*HKLM\SOFTWARE\Microsoft\HTMLHelp\data*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- Unknown
-id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://redmimicry.com
-tags:
-- attack.defense_evasion
-- attack.t1112
-yml_filename: sysmon_redmimicry_winnti_reg.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_reg_office_security.yml b/rules/alert-rules/sigma/sysmon_reg_office_security.yml
deleted file mode 100644
index 04b13947..00000000
--- a/rules/alert-rules/sigma/sysmon_reg_office_security.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Office Security Settings Changed
-author: Trent Liffick (@tliffick)
-date: 2020/05/22
-description: Detects registry changes to Office macro settings
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Security\Trusted Documents\TrustRecords'
- SELECTION_5:
- TargetObject: '*\Security\AccessVBOM'
- SELECTION_6:
- TargetObject: '*\Security\VBAWarnings'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
- or SELECTION_6))
-falsepositives:
-- Valid Macros and/or internal documents
-id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/07/12
-references:
-- Internal Research
-- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1112
-yml_filename: sysmon_reg_office_security.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_reg_silentprocessexit.yml b/rules/alert-rules/sigma/sysmon_reg_silentprocessexit.yml
deleted file mode 100644
index e186b2d0..00000000
--- a/rules/alert-rules/sigma/sysmon_reg_silentprocessexit.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: SilentProcessExit Monitor Registrytion
-author: Florian Roth
-date: 2021/02/26
-description: Detects changes to the Registry in which a monitor program gets registered
- to monitor the exit of another process
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*Microsoft\Windows NT\CurrentVersion\SilentProcessExit*'
- SELECTION_5:
- Details: '*MonitorProcess*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
-falsepositives:
-- Unknown
-id: c81fe886-cac0-4913-a511-2822d72ff505
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
-- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
-tags:
-- attack.persistence
-- attack.t1546.012
-yml_filename: sysmon_reg_silentprocessexit.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_reg_silentprocessexit_lsass.yml b/rules/alert-rules/sigma/sysmon_reg_silentprocessexit_lsass.yml
deleted file mode 100644
index 684ad4b5..00000000
--- a/rules/alert-rules/sigma/sysmon_reg_silentprocessexit_lsass.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: SilentProcessExit Monitor Registrytion for LSASS
-author: Florian Roth
-date: 2021/02/26
-description: Detects changes to the Registry in which a monitor program gets registered
- to dump process memory of the lsass.exe process memory
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- Unknown
-id: 55e29995-75e7-451a-bef0-6225e2f13597
-level: critical
-logsource:
- category: registry_event
- product: windows
-references:
-- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
-- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
-tags:
-- attack.credential_access
-- attack.t1003.007
-yml_filename: sysmon_reg_silentprocessexit_lsass.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_reg_vbs_payload_stored.yml b/rules/alert-rules/sigma/sysmon_reg_vbs_payload_stored.yml
deleted file mode 100644
index da59f309..00000000
--- a/rules/alert-rules/sigma/sysmon_reg_vbs_payload_stored.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-title: VBScript Payload Stored in Registry
-author: Florian Roth
-date: 2021/03/05
-description: Detects VBScript content stored into registry keys as seen being used
- by UNC2452 group
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- Details: '*RunHTMLApplication*'
- SELECTION_11:
- Details: '*Execute(*'
- SELECTION_12:
- Details: '*CreateObject*'
- SELECTION_13:
- Details: '*RegRead*'
- SELECTION_14:
- Details: '*window.close*'
- SELECTION_15:
- TargetObject: '*Software\Microsoft\Windows\CurrentVersion\Run*'
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*Software\Microsoft\Windows\CurrentVersion*'
- SELECTION_5:
- Details: '*vbscript*'
- SELECTION_6:
- Details: '*jscript*'
- SELECTION_7:
- Details: '*mshtml*'
- SELECTION_8:
- Details: '*mshtml,*'
- SELECTION_9:
- Details: '*mshtml *'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and (SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14)) and not
- (SELECTION_15))
-falsepositives:
-- Unknown
-id: 46490193-1b22-4c29-bdd6-5bf63907216f
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
-status: experimental
-tags:
-- attack.persistence
-- attack.t1547.001
-yml_filename: sysmon_reg_vbs_payload_stored.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_regedit_export_to_ads.yml b/rules/alert-rules/sigma/sysmon_regedit_export_to_ads.yml
deleted file mode 100644
index e8fd6d5d..00000000
--- a/rules/alert-rules/sigma/sysmon_regedit_export_to_ads.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Exports Registry Key To an Alternate Data Stream
-author: Oddvar Moe, Sander Wiebing, oscd.community
-date: 2020/10/07
-description: Exports the target Registry key and hides it in the specified alternate
- data stream.
-detection:
- SELECTION_1:
- EventID: 15
- SELECTION_2:
- Image: '*\regedit.exe'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Unknown
-fields:
-- TargetFilename
-id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
-level: high
-logsource:
- category: create_stream_hash
- product: windows
-references:
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
-- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1564.004
-yml_filename: sysmon_regedit_export_to_ads.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_stream_hash
-
diff --git a/rules/alert-rules/sigma/sysmon_registry_add_local_hidden_user.yml b/rules/alert-rules/sigma/sysmon_registry_add_local_hidden_user.yml
deleted file mode 100644
index fff64074..00000000
--- a/rules/alert-rules/sigma/sysmon_registry_add_local_hidden_user.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Creation of a Local Hidden User Account by Registry
-author: Christian Burkard
-date: 2021/05/03
-description: Sysmon registry detection of a local hidden user account.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKLM\SAM\SAM\Domains\Account\Users\Names\\*
- SELECTION_5:
- TargetObject: '*$'
- SELECTION_6:
- Image: '*lsass.exe'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and SELECTION_6)
-falsepositives:
-- unknown
-id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/05/12
-references:
-- https://twitter.com/SBousseaden/status/1387530414185664538
-status: experimental
-tags:
-- attack.persistence
-- attack.t1136.001
-yml_filename: sysmon_registry_add_local_hidden_user.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_registry_persistence_key_linking.yml b/rules/alert-rules/sigma/sysmon_registry_persistence_key_linking.yml
deleted file mode 100644
index f19b574e..00000000
--- a/rules/alert-rules/sigma/sysmon_registry_persistence_key_linking.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Windows Registry Persistence COM Key Linking
-author: Kutepov Anton, oscd.community
-date: 2019/10/23
-description: Detects COM object hijacking via TreatAs subkey
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: CreateKey
- SELECTION_5:
- TargetObject: '*HKU\\*'
- SELECTION_6:
- TargetObject: '*Classes\CLSID\\*'
- SELECTION_7:
- TargetObject: '*\TreatAs*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and SELECTION_6 and SELECTION_7)
-falsepositives:
-- Maybe some system utilities in rare cases use linking keys for backward compatibility
-id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
-level: medium
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/17
-references:
-- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
-status: experimental
-tags:
-- attack.persistence
-- attack.t1122
-- attack.t1546.015
-yml_filename: sysmon_registry_persistence_key_linking.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_registry_persistence_search_order.yml b/rules/alert-rules/sigma/sysmon_registry_persistence_search_order.yml
deleted file mode 100644
index 99f80e89..00000000
--- a/rules/alert-rules/sigma/sysmon_registry_persistence_search_order.yml
+++ /dev/null
@@ -1,72 +0,0 @@
-title: Windows Registry Persistence COM Search Order Hijacking
-author: "Maxime Thiebaut (@0xThiebaut), oscd.community, C\xE9dric Hien"
-date: 2020/04/14
-description: Detects potential COM object hijacking leveraging the COM Search Order
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- Details: '*%%systemroot%%\system32\\*'
- SELECTION_11:
- Details: '*%%systemroot%%\SysWow64\\*'
- SELECTION_12:
- EventID: 12
- SELECTION_13:
- EventID: 13
- SELECTION_14:
- EventID: 14
- SELECTION_15:
- Details: '*\AppData\Local\Microsoft\OneDrive\\*'
- SELECTION_16:
- Details: '*\FileCoAuthLib64.dll*'
- SELECTION_17:
- Details: '*\FileSyncShell64.dll*'
- SELECTION_18:
- Details: '*\FileSyncApi64.dll*'
- SELECTION_19:
- Details: '*\AppData\Local\Microsoft\TeamsMeetingAddin\\*'
- SELECTION_2:
- EventID: 13
- SELECTION_20:
- Details: '*\Microsoft.Teams.AddinLoader.dll*'
- SELECTION_21:
- Details: '*\AppData\Roaming\Dropbox\\*'
- SELECTION_22:
- Details: '*\DropboxExt64.*.dll*'
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKCR\CLSID\\*
- SELECTION_5:
- TargetObject: HKCU\Software\Classes\CLSID\\*
- SELECTION_6:
- TargetObject: '*\InprocServer32\(Default)'
- SELECTION_7:
- EventID: 12
- SELECTION_8:
- EventID: 13
- SELECTION_9:
- EventID: 14
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 or SELECTION_5)
- and SELECTION_6) and not (((SELECTION_7 or SELECTION_8 or SELECTION_9) and
- ((((SELECTION_10 or SELECTION_11) or ((SELECTION_12 or SELECTION_13 or SELECTION_14)
- and SELECTION_15 and (SELECTION_16 or SELECTION_17 or SELECTION_18))) or (SELECTION_19
- and SELECTION_20)) or (SELECTION_21 and SELECTION_22)))))
-falsepositives:
-- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
-id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
-level: medium
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/16
-references:
-- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
-- https://attack.mitre.org/techniques/T1546/015/
-status: experimental
-tags:
-- attack.persistence
-- attack.t1546.015
-yml_filename: sysmon_registry_persistence_search_order.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_registry_susp_printer_driver.yml b/rules/alert-rules/sigma/sysmon_registry_susp_printer_driver.yml
deleted file mode 100644
index 59f6253c..00000000
--- a/rules/alert-rules/sigma/sysmon_registry_susp_printer_driver.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Suspicious Printer Driver Empty Manufacturer
-author: Florian Roth
-date: 2020/07/01
-description: Detects a suspicious printer driver installation with an empty Manufacturer
- value
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Control\Print\Environments\Windows x64\Drivers*'
- SELECTION_5:
- TargetObject: '*\Manufacturer*'
- SELECTION_6:
- Details: (Empty)
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and SELECTION_6)
-falsepositives:
-- Alerts on legitimate printer drivers that do not set any more details in the Manufacturer
- value
-id: e0813366-0407-449a-9869-a2db1119dc41
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://twitter.com/SBousseaden/status/1410545674773467140
-status: experimental
-tags:
-- attack.privilege_escalation
-- cve.2021.1675
-yml_filename: sysmon_registry_susp_printer_driver.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_registry_trust_record_modification.yml b/rules/alert-rules/sigma/sysmon_registry_trust_record_modification.yml
deleted file mode 100644
index 3dea8684..00000000
--- a/rules/alert-rules/sigma/sysmon_registry_trust_record_modification.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Windows Registry Trust Record Modification
-author: Antonlovesdnb
-date: 2020/02/19
-description: Alerts on trust record modification within the registry, indicating usage
- of macros
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*TrustRecords*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- Alerts on legitimate macro usage as well, will need to filter as appropriate
-id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
-level: medium
-logsource:
- category: registry_event
- product: windows
-modified: 2020/09/06
-references:
-- https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
-- http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
-status: experimental
-tags:
-- attack.initial_access
-- attack.t1193
-- attack.t1566.001
-yml_filename: sysmon_registry_trust_record_modification.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_regsvr32_network_activity.yml b/rules/alert-rules/sigma/sysmon_regsvr32_network_activity.yml
deleted file mode 100644
index 850f76a6..00000000
--- a/rules/alert-rules/sigma/sysmon_regsvr32_network_activity.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Regsvr32 Network Activity
-author: Dmitriy Lifanov, oscd.community
-date: 2019/10/25
-description: Detects network connections and DNS queries initiated by Regsvr32.exe
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_2:
- Image: '*\regsvr32.exe'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unknown
-fields:
-- ComputerName
-- User
-- Image
-- DestinationIp
-- DestinationPort
-id: c7e91a02-d771-4a6d-a700-42587e0b1095
-level: high
-logsource:
- category: network_connection
- product: windows
-modified: 2021/09/21
-references:
-- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
-- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
-status: experimental
-tags:
-- attack.execution
-- attack.t1559.001
-- attack.t1175
-- attack.defense_evasion
-- attack.t1218.010
-- attack.t1117
-yml_filename: sysmon_regsvr32_network_activity.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_remote_powershell_session_network.yml b/rules/alert-rules/sigma/sysmon_remote_powershell_session_network.yml
deleted file mode 100644
index efd24fe6..00000000
--- a/rules/alert-rules/sigma/sysmon_remote_powershell_session_network.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Remote PowerShell Session
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/09/12
-description: Detects remote PowerShell connections by monitoring network outbound
- connections to ports 5985 or 5986 from a non-network service account.
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_2:
- DestinationPort: 5985
- SELECTION_3:
- DestinationPort: 5986
- SELECTION_4:
- User: NT AUTHORITY\NETWORK SERVICE
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and not (SELECTION_4))
-falsepositives:
-- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
-id: c539afac-c12a-46ed-b1bd-5a5567c9f045
-level: high
-logsource:
- category: network_connection
- product: windows
-modified: 2020/08/24
-references:
-- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-- attack.lateral_movement
-- attack.t1021.006
-- attack.t1028
-yml_filename: sysmon_remote_powershell_session_network.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_removal_amsi_registry_key.yml b/rules/alert-rules/sigma/sysmon_removal_amsi_registry_key.yml
deleted file mode 100644
index 4becaf90..00000000
--- a/rules/alert-rules/sigma/sysmon_removal_amsi_registry_key.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Removal Amsi Provider Reg Key
-author: frack113
-date: 2021/06/07
-description: Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI
- to disable AMSI inspection
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: DeleteKey
- SELECTION_5:
- TargetObject: '*{2781761E-28E0-4109-99FE-B9D127C57AFE}'
- SELECTION_6:
- TargetObject: '*{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
- or SELECTION_6))
-falsepositives:
-- unknown
-id: 41d1058a-aea7-4952-9293-29eaaf516465
-level: high
-logsource:
- category: registry_event
- definition: key must be add to the sysmon configuration to works
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
-- https://seclists.org/fulldisclosure/2020/Mar/45
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562.001
-yml_filename: sysmon_removal_amsi_registry_key.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_removal_com_hijacking_registry_key.yml b/rules/alert-rules/sigma/sysmon_removal_com_hijacking_registry_key.yml
deleted file mode 100644
index d1408cfd..00000000
--- a/rules/alert-rules/sigma/sysmon_removal_com_hijacking_registry_key.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Removal of Potential COM Hijacking Registry Keys
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A General detection to trigger for processes removing .*\shell\open\command
- registry keys. Registry keys that might have been used for COM hijacking activities.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: DeleteKey
- SELECTION_5:
- TargetObject: '*\shell\open\command'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
-falsepositives:
-- unknown
-id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
-level: medium
-logsource:
- category: registry_event
- product: windows
-references:
-- https://github.com/OTRF/detection-hackathon-apt29/issues/7
-- https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html
-- https://docs.microsoft.com/en-us/windows/win32/shell/launch
-- https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
-- https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1112
-yml_filename: sysmon_removal_com_hijacking_registry_key.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_remove_windows_defender_definition_files.yml b/rules/alert-rules/sigma/sysmon_remove_windows_defender_definition_files.yml
deleted file mode 100644
index be356df0..00000000
--- a/rules/alert-rules/sigma/sysmon_remove_windows_defender_definition_files.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Remove Windows Defender Definition Files
-author: frack113
-date: 2021/07/07
-description: Adversaries may disable security tools to avoid possible detection of
- their tools and activities by removing Windows Defender Definition Files
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- OriginalFileName: MpCmdRun.exe
- SELECTION_3:
- CommandLine: '* -RemoveDefinitions*'
- SELECTION_4:
- CommandLine: '* -All*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: 9719a8aa-401c-41af-8108-ced7ec9cd75c
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
-- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562.001
-yml_filename: sysmon_remove_windows_defender_definition_files.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_rundll32_net_connections.yml b/rules/alert-rules/sigma/sysmon_rundll32_net_connections.yml
deleted file mode 100644
index fd23bd85..00000000
--- a/rules/alert-rules/sigma/sysmon_rundll32_net_connections.yml
+++ /dev/null
@@ -1,74 +0,0 @@
-title: Rundll32 Internet Connection
-author: Florian Roth
-date: 2017/11/04
-description: Detects a rundll32 that communicates with public IP addresses
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_10:
- DestinationIp: 172.20.*
- SELECTION_11:
- DestinationIp: 172.21.*
- SELECTION_12:
- DestinationIp: 172.22.*
- SELECTION_13:
- DestinationIp: 172.23.*
- SELECTION_14:
- DestinationIp: 172.24.*
- SELECTION_15:
- DestinationIp: 172.25.*
- SELECTION_16:
- DestinationIp: 172.26.*
- SELECTION_17:
- DestinationIp: 172.27.*
- SELECTION_18:
- DestinationIp: 172.28.*
- SELECTION_19:
- DestinationIp: 172.29.*
- SELECTION_2:
- Image: '*\rundll32.exe'
- SELECTION_20:
- DestinationIp: 172.30.*
- SELECTION_21:
- DestinationIp: 172.31.*
- SELECTION_22:
- DestinationIp: 127.*
- SELECTION_3:
- Initiated: 'true'
- SELECTION_4:
- DestinationIp: 10.*
- SELECTION_5:
- DestinationIp: 192.168.*
- SELECTION_6:
- DestinationIp: 172.16.*
- SELECTION_7:
- DestinationIp: 172.17.*
- SELECTION_8:
- DestinationIp: 172.18.*
- SELECTION_9:
- DestinationIp: 172.19.*
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4
- or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
- or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
- or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
- or SELECTION_20 or SELECTION_21 or SELECTION_22)))
-falsepositives:
-- Communication to other corporate systems that use IP addresses from public address
- spaces
-id: cdc8da7d-c303-42f8-b08c-b4ab47230263
-level: medium
-logsource:
- category: network_connection
- product: windows
-modified: 2020/08/24
-references:
-- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218.011
-- attack.t1085
-- attack.execution
-yml_filename: sysmon_rundll32_net_connections.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_runkey_winekey.yml b/rules/alert-rules/sigma/sysmon_runkey_winekey.yml
deleted file mode 100644
index c63f5e30..00000000
--- a/rules/alert-rules/sigma/sysmon_runkey_winekey.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: WINEKEY Registry Modification
-author: omkar72
-date: 2020/10/30
-description: Detects potential malicious modification of run keys by winekey or team9
- backdoor
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4))
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- Image
-- EventType
-- TargetObject
-id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
-level: high
-logsource:
- category: registry_event
- product: windows
-references:
-- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
-tags:
-- attack.persistence
-- attack.t1547
-yml_filename: sysmon_runkey_winekey.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_runonce_persistence.yml b/rules/alert-rules/sigma/sysmon_runonce_persistence.yml
deleted file mode 100644
index 60c48e70..00000000
--- a/rules/alert-rules/sigma/sysmon_runonce_persistence.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Run Once Task Configuration in Registry
-author: Avneet Singh @v3t0_, oscd.community
-date: 2020/11/15
-description: Rule to detect the configuration of Run Once registry key. Configured
- payload can be run by runonce.exe /AlternateShellStartup
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components*
- SELECTION_5:
- TargetObject: '*\StubPath'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
-falsepositives:
-- Legitimate modification of the registry key by legitimate program
-id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff
-level: medium
-logsource:
- category: registry_event
- product: windows
-references:
-- https://twitter.com/pabraeken/status/990717080805789697
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1112
-yml_filename: sysmon_runonce_persistence.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/alert-rules/sigma/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
deleted file mode 100644
index ac7691b6..00000000
--- a/rules/alert-rules/sigma/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: WMI Script Host Process Image Loaded
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/09/02
-description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe
- functionality being used via images being loaded by a process.
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\scrcons.exe'
- SELECTION_3:
- ImageLoaded: '*\vbscript.dll'
- SELECTION_4:
- ImageLoaded: '*\wbemdisp.dll'
- SELECTION_5:
- ImageLoaded: '*\wshom.ocx'
- SELECTION_6:
- ImageLoaded: '*\scrrun.dll'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6))
-falsepositives:
-- Unknown
-id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
-level: high
-logsource:
- category: image_load
- product: windows
-references:
-- https://twitter.com/HunterPlaybook/status/1301207718355759107
-- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
-- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
-status: experimental
-tags:
-- attack.lateral_movement
-- attack.privilege_escalation
-- attack.persistence
-- attack.t1546.003
-yml_filename: sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_sdclt_child_process.yml b/rules/alert-rules/sigma/sysmon_sdclt_child_process.yml
deleted file mode 100644
index 7c884467..00000000
--- a/rules/alert-rules/sigma/sysmon_sdclt_child_process.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Sdclt Child Processes
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A General detection for sdclt spawning new processes. This could be an
- indicator of sdclt being used for bypass UAC techniques.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*\sdclt.exe'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unknown
-id: da2738f2-fadb-4394-afa7-0a0674885afa
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/OTRF/detection-hackathon-apt29/issues/6
-- https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
-status: experimental
-tags:
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: sysmon_sdclt_child_process.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_spoolsv_dll_load.yml b/rules/alert-rules/sigma/sysmon_spoolsv_dll_load.yml
deleted file mode 100644
index 97e71542..00000000
--- a/rules/alert-rules/sigma/sysmon_spoolsv_dll_load.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Windows Spooler Service Suspicious Binary Load
-author: FPT.EagleEye, Thomas Patzke (improvements)
-date: 2021/06/29
-description: Detect DLL Load from Spooler Service backup folder
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*spoolsv.exe'
- SELECTION_3:
- ImageLoaded: '*\Windows\System32\spool\drivers\x64\3\\*'
- SELECTION_4:
- ImageLoaded: '*.dll'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Loading of legitimate driver
-id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
-level: informational
-logsource:
- category: image_load
- product: windows
-modified: 2021/08/24
-references:
-- https://github.com/hhlxf/PrintNightmare
-status: experimental
-tags:
-- attack.persistence
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1574
-- cve.2021.1675
-- cve.2021.34527
-yml_filename: sysmon_spoolsv_dll_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_ssp_added_lsa_config.yml b/rules/alert-rules/sigma/sysmon_ssp_added_lsa_config.yml
deleted file mode 100644
index edd80e71..00000000
--- a/rules/alert-rules/sigma/sysmon_ssp_added_lsa_config.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Security Support Provider (SSP) Added to LSA Configuration
-author: iwillkeepwatch
-date: 2019/01/18
-description: Detects the addition of a SSP to the registry. Upon a reboot or API call,
- SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKLM\System\CurrentControlSet\Control\Lsa\Security Packages
- SELECTION_5:
- TargetObject: HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security
- Packages
- SELECTION_6:
- Image: C:\Windows\system32\msiexec.exe
- SELECTION_7:
- Image: C:\Windows\syswow64\MsiExec.exe
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
- and not (SELECTION_6 or SELECTION_7))
-falsepositives:
-- Unlikely
-id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2020/09/06
-references:
-- https://attack.mitre.org/techniques/T1101/
-- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
-status: experimental
-tags:
-- attack.persistence
-- attack.t1101
-- attack.t1547.005
-yml_filename: sysmon_ssp_added_lsa_config.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_startup_folder_file_write.yml b/rules/alert-rules/sigma/sysmon_startup_folder_file_write.yml
deleted file mode 100644
index e38597c7..00000000
--- a/rules/alert-rules/sigma/sysmon_startup_folder_file_write.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Startup Folder File Write
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A General detection for files being created in the Windows startup directory.
- This could be an indicator of persistence.
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unknown
-id: 2aa0a6b4-a865-495b-ab51-c28249537b75
-level: low
-logsource:
- category: file_event
- product: windows
-references:
-- https://github.com/OTRF/detection-hackathon-apt29/issues/12
-- https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html
-status: experimental
-tags:
-- attack.persistence
-- attack.t1547.001
-yml_filename: sysmon_startup_folder_file_write.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_adfs_namedpipe_connection.yml b/rules/alert-rules/sigma/sysmon_susp_adfs_namedpipe_connection.yml
deleted file mode 100644
index 5a67c93b..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_adfs_namedpipe_connection.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-title: ADFS Database Named Pipe Connection
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2021/10/08
-description: Detects suspicious local connections via a named pipe to the AD FS configuration
- database (Windows Internal Database). Used to access information such as the AD
- FS configuration settings which contains sensitive information used to sign SAML
- tokens.
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_10:
- Image: '*sqlservr.exe'
- SELECTION_2:
- EventID: 18
- SELECTION_3:
- PipeName: \MICROSOFT##WID\tsql\query
- SELECTION_4:
- Image: '*Microsoft.IdentityServer.ServiceHost.exe'
- SELECTION_5:
- Image: '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
- SELECTION_6:
- Image: '*AzureADConnect.exe'
- SELECTION_7:
- Image: '*Microsoft.Tri.Sensor.exe'
- SELECTION_8:
- Image: '*wsmprovhost.exe'
- SELECTION_9:
- Image: '*mmc.exe'
- condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and not ((SELECTION_4
- or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
- or SELECTION_10)))
-falsepositives:
-- Processes in the filter condition
-id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
-level: critical
-logsource:
- category: pipe_created
- product: windows
-modified: 2021/11/07
-references:
-- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
-- https://o365blog.com/post/adfs/
-- https://github.com/Azure/SimuLand
-status: experimental
-tags:
-- attack.collection
-- attack.t1005
-yml_filename: sysmon_susp_adfs_namedpipe_connection.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_adsi_cache_usage.yml b/rules/alert-rules/sigma/sysmon_susp_adsi_cache_usage.yml
deleted file mode 100644
index e096971b..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_adsi_cache_usage.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Suspicious ADSI-Cache Usage By Unknown Tool
-author: xknow @xknow_infosec
-date: 2019/03/24
-description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect
- tools like LDAPFragger.
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*'
- SELECTION_3:
- TargetFilename: '*.sch'
- SELECTION_4:
- Image: C:\windows\system32\svchost.exe
- SELECTION_5:
- Image: C:\windows\system32\dllhost.exe
- SELECTION_6:
- Image: C:\windows\system32\mmc.exe
- SELECTION_7:
- Image: C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
- SELECTION_8:
- Image: C:\Windows\CCM\CcmExec.exe
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4
- or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8)))
-falsepositives:
-- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity
- by MMC, Powershell, Windows etc.
-id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2020/08/23
-references:
-- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
-- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
-- https://github.com/fox-it/LDAPFragger
-status: experimental
-tags:
-- attack.t1071
-- attack.t1001.003
-- attack.command_and_control
-yml_filename: sysmon_susp_adsi_cache_usage.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_atbroker_change.yml b/rules/alert-rules/sigma/sysmon_susp_atbroker_change.yml
deleted file mode 100644
index 2a3e9374..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_atbroker_change.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Atbroker Registry Change
-author: Mateusz Wydra, oscd.community
-date: 2020/10/13
-description: Detects creation/modification of Assisitive Technology applications and
- persistence with usage of ATs
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs*'
- SELECTION_5:
- TargetObject: '*Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
-falsepositives:
-- Creation of non-default, legitimate AT.
-id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/05/24
-references:
-- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml
-tags:
-- attack.defense_evasion
-- attack.t1218
-- attack.persistence
-- attack.t1547
-yml_filename: sysmon_susp_atbroker_change.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_clr_logs.yml b/rules/alert-rules/sigma/sysmon_susp_clr_logs.yml
deleted file mode 100644
index a666c43e..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_clr_logs.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Suspcious CLR Logs Creation
-author: omkar72, oscd.community
-date: 2020/10/12
-description: Detects suspicious .NET assembly executions
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\AppData\Local\Microsoft\CLR*'
- SELECTION_3:
- TargetFilename: '*\UsageLogs\\*'
- SELECTION_4:
- TargetFilename: '*mshta*'
- SELECTION_5:
- TargetFilename: '*cscript*'
- SELECTION_6:
- TargetFilename: '*wscript*'
- SELECTION_7:
- TargetFilename: '*regsvr32*'
- SELECTION_8:
- TargetFilename: '*wmic*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8))
-falsepositives:
-- Unknown
-id: e4b63079-6198-405c-abd7-3fe8b0ce3263
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-yml_filename: sysmon_susp_clr_logs.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/alert-rules/sigma/sysmon_susp_cobaltstrike_pipe_patterns.yml
deleted file mode 100644
index 57ab334d..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_cobaltstrike_pipe_patterns.yml
+++ /dev/null
@@ -1,106 +0,0 @@
-title: CobaltStrike Named Pipe Patterns
-author: Florian Roth, Christian Burkard
-date: 2021/07/30
-description: Detects the creation of a named pipe with a pattern found in CobaltStrike
- malleable C2 profiles
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_10:
- PipeName: \spoolss*
- SELECTION_11:
- PipeName: \msrpc_*
- SELECTION_12:
- PipeName: \win\msrpc_*
- SELECTION_13:
- PipeName: \wkssvc*
- SELECTION_14:
- PipeName: \f53f*
- SELECTION_15:
- PipeName: \windows.update.manager*
- SELECTION_16:
- PipeName: \SearchTextHarvester*
- SELECTION_17:
- PipeName: \DserNamePipe*
- SELECTION_18:
- PipeName: \PGMessagePipe*
- SELECTION_19:
- PipeName: \MsFteWds*
- SELECTION_2:
- EventID: 18
- SELECTION_20:
- PipeName: \f4c3*
- SELECTION_21:
- PipeName: \fullduplex_*
- SELECTION_22:
- PipeName: \rpc_*
- SELECTION_23:
- PipeName: \demoagent_11
- SELECTION_24:
- PipeName: \demoagent_22
- SELECTION_25:
- PipeName: \Winsock2\CatalogChangeListener-*
- SELECTION_26:
- PipeName: '*-0,'
- SELECTION_27:
- PipeName: \wkssvc
- SELECTION_28:
- PipeName: \spoolss
- SELECTION_29:
- PipeName: \scerpc
- SELECTION_3:
- PipeName: \mojo.5688.8052.183894939787088877*
- SELECTION_30:
- PipeName: \ntsvcs
- SELECTION_31:
- PipeName: \SearchTextHarvester
- SELECTION_32:
- PipeName: \PGMessagePipe
- SELECTION_33:
- PipeName: \MsFteWds
- SELECTION_4:
- PipeName: \mojo.5688.8052.35780273329370473*
- SELECTION_5:
- PipeName: \mypipe-f*
- SELECTION_6:
- PipeName: \mypipe-h*
- SELECTION_7:
- PipeName: \ntsvcs*
- SELECTION_8:
- PipeName: \scerpc*
- SELECTION_9:
- PipeName: \win_svc*
- condition: ((SELECTION_1 or SELECTION_2) and (((SELECTION_3 or SELECTION_4 or
- SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or
- SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
- or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
- or SELECTION_20 or SELECTION_21 or SELECTION_22) or (SELECTION_23 or SELECTION_24))
- or (SELECTION_25 and SELECTION_26)) and not ((SELECTION_27 or SELECTION_28
- or SELECTION_29 or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33)))
-falsepositives:
-- Chrome instances using the exactly same name pipe named mojo.something
-id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
-level: high
-logsource:
- category: pipe_created
- definition: Note that you have to configure logging for Named Pipe Events in Sysmon
- config (Event ID 17 and Event ID 18). The basic configuration is in popular
- sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
- it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
- https://github.com/olafhartong/sysmon-modular You can also use other repo,
- e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular.
- How to test detection? You can always use Cobalt Strike, but also you can
- check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- product: windows
-modified: 2021/08/26
-references:
-- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
-- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1055
-yml_filename: sysmon_susp_cobaltstrike_pipe_patterns.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_desktop_ini.yml b/rules/alert-rules/sigma/sysmon_susp_desktop_ini.yml
deleted file mode 100644
index a79e5afe..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_desktop_ini.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Suspicious desktop.ini Action
-author: Maxime Thiebaut (@0xThiebaut)
-date: 2020/03/19
-description: Detects unusual processes accessing desktop.ini, which can be leveraged
- to alter how Explorer displays a folder's content (i.e. renaming files) without
- changing them on disk.
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\desktop.ini'
- SELECTION_3:
- Image: C:\Windows\explorer.exe
- SELECTION_4:
- Image: C:\Windows\System32\msiexec.exe
- SELECTION_5:
- Image: C:\Windows\System32\mmc.exe
- condition: (SELECTION_1 and SELECTION_2 and not ((SELECTION_3 or SELECTION_4
- or SELECTION_5)))
-falsepositives:
-- Operations performed through Windows SCCM or equivalent
-id: 81315b50-6b60-4d8f-9928-3466e1022515
-level: medium
-logsource:
- category: file_event
- product: windows
-modified: 2020/08/23
-references:
-- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
-status: experimental
-tags:
-- attack.persistence
-- attack.t1023
-- attack.t1547.009
-yml_filename: sysmon_susp_desktop_ini.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_download_run_key.yml b/rules/alert-rules/sigma/sysmon_susp_download_run_key.yml
deleted file mode 100644
index 8423033d..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_download_run_key.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Suspicious Run Key from Download
-author: Florian Roth
-date: 2019/10/01
-description: Detects the suspicious RUN keys created by software located in Download
- or temporary Outlook/Internet Explorer directories
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- Image: '*\Downloads\\*'
- SELECTION_5:
- Image: '*\Temporary Internet Files\Content.Outlook\\*'
- SELECTION_6:
- Image: '*\Local Settings\Temporary Internet Files\\*'
- SELECTION_7:
- TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
- or SELECTION_6) and SELECTION_7)
-falsepositives:
-- Software installers downloaded and used by users
-id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2020/09/06
-references:
-- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
-status: experimental
-tags:
-- attack.persistence
-- attack.t1060
-- attack.t1547.001
-yml_filename: sysmon_susp_download_run_key.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_fax_dll.yml b/rules/alert-rules/sigma/sysmon_susp_fax_dll.yml
deleted file mode 100644
index b532dcc5..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_fax_dll.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Fax Service DLL Search Order Hijack
-author: NVISO
-date: 2020/05/04
-description: The Fax service attempts to load ualapi.dll, which is non-existent. An
- attacker can then (side)load their own malicious DLL using this service.
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*fxssvc.exe'
- SELECTION_3:
- ImageLoaded: '*ualapi.dll'
- SELECTION_4:
- ImageLoaded: C:\Windows\WinSxS\\*
- condition: (SELECTION_1 and ((SELECTION_2) and (SELECTION_3)) and not ((SELECTION_4)))
-falsepositives:
-- Unlikely
-id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2020/08/23
-references:
-- https://windows-internals.com/faxing-your-way-to-system/
-status: experimental
-tags:
-- attack.persistence
-- attack.defense_evasion
-- attack.t1073
-- attack.t1038
-- attack.t1574.001
-- attack.t1574.002
-yml_filename: sysmon_susp_fax_dll.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_image_load.yml b/rules/alert-rules/sigma/sysmon_susp_image_load.yml
deleted file mode 100644
index ba73b595..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_image_load.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Possible Process Hollowing Image Loading
-author: Markus Neis
-date: 2018/01/07
-description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g.
- through process hollowing by Mimikatz
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\notepad.exe'
- SELECTION_3:
- ImageLoaded: '*\samlib.dll'
- SELECTION_4:
- ImageLoaded: '*\WinSCard.dll'
- condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- Very likely, needs more tuning
-id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2020/08/23
-references:
-- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1073
-- attack.t1574.002
-yml_filename: sysmon_susp_image_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_lsass_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_lsass_dll_load.yml
deleted file mode 100644
index f76692e0..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_lsass_dll_load.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: DLL Load via LSASS
-author: Florian Roth
-date: 2019/10/16
-description: Detects a method to load DLL via LSASS process using an undocumented
- Registry key
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
- SELECTION_5:
- TargetObject: '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
-falsepositives:
-- Unknown
-id: b3503044-60ce-4bf4-bbcb-e3db98788823
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2020/07/01
-references:
-- https://blog.xpnsec.com/exploring-mimikatz-part-1/
-- https://twitter.com/SBousseaden/status/1183745981189427200
-status: experimental
-tags:
-- attack.execution
-- attack.persistence
-- attack.t1177
-- attack.t1547.008
-yml_filename: sysmon_susp_lsass_dll_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_mic_cam_access.yml b/rules/alert-rules/sigma/sysmon_susp_mic_cam_access.yml
deleted file mode 100644
index 79783789..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_mic_cam_access.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-title: Suspicious Camera and Microphone Access
-author: Den Iuzvyk
-date: 2020/06/07
-description: Detects Processes accessing the camera and microphone from suspicious
- folder
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- TargetObject: '*:#Temp#*'
- SELECTION_11:
- TargetObject: '*:#Users#Public#*'
- SELECTION_12:
- TargetObject: '*:#Users#Default#*'
- SELECTION_13:
- TargetObject: '*:#Users#Desktop#*'
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*'
- SELECTION_5:
- TargetObject: '*\NonPackaged*'
- SELECTION_6:
- TargetObject: '*microphone*'
- SELECTION_7:
- TargetObject: '*webcam*'
- SELECTION_8:
- TargetObject: '*:#Windows#Temp#*'
- SELECTION_9:
- TargetObject: '*:#$Recycle.bin#*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
- and (SELECTION_6 or SELECTION_7) and (SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13))
-falsepositives:
-- Unlikely, there could be conferencing software running from a Temp folder accessing
- the devices
-id: 62120148-6b7a-42be-8b91-271c04e281a3
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/17
-references:
-- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
-tags:
-- attack.collection
-- attack.t1125
-- attack.t1123
-yml_filename: sysmon_susp_mic_cam_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_office_dotnet_assembly_dll_load.yml
deleted file mode 100644
index 95eea5c3..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_office_dotnet_assembly_dll_load.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: dotNET DLL Loaded Via Office Applications
-author: Antonlovesdnb
-date: 2020/02/19
-description: Detects any assembly DLL being loaded by an Office Product
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\winword.exe'
- SELECTION_3:
- Image: '*\powerpnt.exe'
- SELECTION_4:
- Image: '*\excel.exe'
- SELECTION_5:
- Image: '*\outlook.exe'
- SELECTION_6:
- ImageLoaded: C:\Windows\assembly\\*
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- and (SELECTION_6))
-falsepositives:
-- Alerts on legitimate macro usage as well, will need to filter as appropriate
-id: ff0f2b05-09db-4095-b96d-1b75ca24894a
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2020/08/23
-references:
-- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-status: experimental
-tags:
-- attack.execution
-- attack.t1204
-- attack.t1204.002
-yml_filename: sysmon_susp_office_dotnet_assembly_dll_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_office_dotnet_clr_dll_load.yml
deleted file mode 100644
index e3484644..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_office_dotnet_clr_dll_load.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: CLR DLL Loaded Via Office Applications
-author: Antonlovesdnb
-date: 2020/02/19
-description: Detects CLR DLL being loaded by an Office Product
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\winword.exe'
- SELECTION_3:
- Image: '*\powerpnt.exe'
- SELECTION_4:
- Image: '*\excel.exe'
- SELECTION_5:
- Image: '*\outlook.exe'
- SELECTION_6:
- ImageLoaded: '*\clr.dll*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- and (SELECTION_6))
-falsepositives:
-- Alerts on legitimate macro usage as well, will need to filter as appropriate
-id: d13c43f0-f66b-4279-8b2c-5912077c1780
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2020/08/23
-references:
-- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-status: experimental
-tags:
-- attack.execution
-- attack.t1204
-- attack.t1204.002
-yml_filename: sysmon_susp_office_dotnet_clr_dll_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_office_dotnet_gac_dll_load.yml
deleted file mode 100644
index 84180407..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_office_dotnet_gac_dll_load.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: GAC DLL Loaded Via Office Applications
-author: Antonlovesdnb
-date: 2020/02/19
-description: Detects any GAC DLL being loaded by an Office Product
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\winword.exe'
- SELECTION_3:
- Image: '*\powerpnt.exe'
- SELECTION_4:
- Image: '*\excel.exe'
- SELECTION_5:
- Image: '*\outlook.exe'
- SELECTION_6:
- ImageLoaded: C:\Windows\Microsoft.NET\assembly\GAC_MSIL*
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- and (SELECTION_6))
-falsepositives:
-- Alerts on legitimate macro usage as well, will need to filter as appropriate
-id: 90217a70-13fc-48e4-b3db-0d836c5824ac
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2020/08/23
-references:
-- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-status: experimental
-tags:
-- attack.execution
-- attack.t1204
-- attack.t1204.002
-yml_filename: sysmon_susp_office_dotnet_gac_dll_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_office_dsparse_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_office_dsparse_dll_load.yml
deleted file mode 100644
index e6786b9b..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_office_dsparse_dll_load.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Active Directory Parsing DLL Loaded Via Office Applications
-author: Antonlovesdnb
-date: 2020/02/19
-description: Detects DSParse DLL being loaded by an Office Product
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\winword.exe'
- SELECTION_3:
- Image: '*\powerpnt.exe'
- SELECTION_4:
- Image: '*\excel.exe'
- SELECTION_5:
- Image: '*\outlook.exe'
- SELECTION_6:
- ImageLoaded: '*\dsparse.dll*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- and (SELECTION_6))
-falsepositives:
-- Alerts on legitimate macro usage as well, will need to filter as appropriate
-id: a2a3b925-7bb0-433b-b508-db9003263cc4
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2020/08/23
-references:
-- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-status: experimental
-tags:
-- attack.execution
-- attack.t1204
-- attack.t1204.002
-yml_filename: sysmon_susp_office_dsparse_dll_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_office_kerberos_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_office_kerberos_dll_load.yml
deleted file mode 100644
index 862f3f4e..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_office_kerberos_dll_load.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Active Directory Kerberos DLL Loaded Via Office Applications
-author: Antonlovesdnb
-date: 2020/02/19
-description: Detects Kerberos DLL being loaded by an Office Product
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\winword.exe'
- SELECTION_3:
- Image: '*\powerpnt.exe'
- SELECTION_4:
- Image: '*\excel.exe'
- SELECTION_5:
- Image: '*\outlook.exe'
- SELECTION_6:
- ImageLoaded: '*\kerberos.dll'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- and (SELECTION_6))
-falsepositives:
-- Alerts on legitimate macro usage as well, will need to filter as appropriate
-id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2020/08/23
-references:
-- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-status: experimental
-tags:
-- attack.execution
-- attack.t1204
-- attack.t1204.002
-yml_filename: sysmon_susp_office_kerberos_dll_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_pfx_file_creation.yml b/rules/alert-rules/sigma/sysmon_susp_pfx_file_creation.yml
deleted file mode 100644
index 87bd8b1d..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_pfx_file_creation.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Suspicious PFX File Creation
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A general detection for processes creating PFX files. This could be an
- indicator of an adversary exporting a local certificate to a PFX file.
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*.pfx'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- System administrators managing certififcates.
-id: dca1b3e8-e043-4ec8-85d7-867f334b5724
-level: medium
-logsource:
- category: file_event
- product: windows
-references:
-- https://github.com/OTRF/detection-hackathon-apt29/issues/14
-- https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1552.004
-yml_filename: sysmon_susp_pfx_file_creation.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_plink_remote_forward.yml b/rules/alert-rules/sigma/sysmon_susp_plink_remote_forward.yml
deleted file mode 100644
index 1164d633..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_plink_remote_forward.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Suspicious Plink Remote Forwarding
-author: Florian Roth
-date: 2021/01/19
-description: Detects suspicious Plink tunnel remote forarding to a local port
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Description: Command-line SSH, Telnet, and Rlogin client
- SELECTION_3:
- CommandLine: '* -R *'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Administrative activity using a remote port forwarding to a local port
-id: 48a61b29-389f-4032-b317-b30de6b95314
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
-- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
-status: experimental
-tags:
-- attack.command_and_control
-- attack.t1572
-- attack.lateral_movement
-- attack.t1021.001
-yml_filename: sysmon_susp_plink_remote_forward.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_powershell_rundll32.yml b/rules/alert-rules/sigma/sysmon_susp_powershell_rundll32.yml
deleted file mode 100644
index 4caa9ee8..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_powershell_rundll32.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: PowerShell Rundll32 Remote Thread Creation
-author: Florian Roth
-date: 2018/06/25
-description: Detects PowerShell remote thread creation in Rundll32.exe
-detection:
- SELECTION_1:
- EventID: 8
- SELECTION_2:
- SourceImage: '*\powershell.exe'
- SELECTION_3:
- TargetImage: '*\rundll32.exe'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 99b97608-3e21-4bfe-8217-2a127c396a0e
-level: high
-logsource:
- category: create_remote_thread
- product: windows
-modified: 2021/11/12
-references:
-- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.execution
-- attack.t1085
-- attack.t1218.011
-- attack.t1086
-- attack.t1059.001
-yml_filename: sysmon_susp_powershell_rundll32.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/alert-rules/sigma/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
deleted file mode 100644
index ad1d8764..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: Suspicious PROCEXP152.sys File Created In TMP
-author: xknow (@xknow_infosec), xorxes (@xor_xes)
-date: 2019/04/08
-description: Detects the creation of the PROCEXP152.sys file in the application-data
- local temporary folder. This driver is used by Sysinternals Process Explorer but
- also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),
- which uses KDU.
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\AppData\Local\Temp\\*'
- SELECTION_3:
- TargetFilename: '*PROCEXP152.sys'
- SELECTION_4:
- Image: '*\procexp64.exe*'
- SELECTION_5:
- Image: '*\procexp.exe*'
- SELECTION_6:
- Image: '*\procmon64.exe*'
- SELECTION_7:
- Image: '*\procmon.exe*'
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4
- or SELECTION_5 or SELECTION_6 or SELECTION_7)))
-falsepositives:
-- Other legimate tools using this driver and filename (like Sysinternals). Note -
- Clever attackers may easily bypass this detection by just renaming the driver
- filename. Therefore just Medium-level and don't rely on it.
-id: 3da70954-0f2c-4103-adff-b7440368f50e
-level: medium
-logsource:
- category: file_event
- product: windows
-references:
-- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
-status: experimental
-tags:
-- attack.t1089
-- attack.t1562.001
-- attack.defense_evasion
-yml_filename: sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_prog_location_network_connection.yml b/rules/alert-rules/sigma/sysmon_susp_prog_location_network_connection.yml
deleted file mode 100644
index f353846e..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_prog_location_network_connection.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-title: Suspicious Program Location with Network Connections
-author: Florian Roth
-date: 2017/03/19
-description: Detects programs with network connections running in suspicious files
- system locations
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_10:
- Image: '*\Windows\addins\\*'
- SELECTION_11:
- Image: '*\$Recycle.bin'
- SELECTION_12:
- Image: C:\Perflogs\\*
- SELECTION_2:
- Image: '*\Users\All Users\\*'
- SELECTION_3:
- Image: '*\Users\Default\\*'
- SELECTION_4:
- Image: '*\Users\Public\\*'
- SELECTION_5:
- Image: '*\Users\Contacts\\*'
- SELECTION_6:
- Image: '*\Users\Searches\\*'
- SELECTION_7:
- Image: '*\config\systemprofile\\*'
- SELECTION_8:
- Image: '*\Windows\Fonts\\*'
- SELECTION_9:
- Image: '*\Windows\IME\\*'
- condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
- or (SELECTION_11) or (SELECTION_12)))
-falsepositives:
-- unknown
-id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
-level: high
-logsource:
- category: network_connection
- definition: Use the following config to generate the necessary Event ID 3 Network
- Connection events
- product: windows
-references:
-- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
-status: experimental
-tags:
-- attack.command_and_control
-- attack.t1105
-yml_filename: sysmon_susp_prog_location_network_connection.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_python_image_load.yml b/rules/alert-rules/sigma/sysmon_susp_python_image_load.yml
deleted file mode 100644
index a24eb721..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_python_image_load.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Python Py2Exe Image Load
-author: Patrick St. John, OTR (Open Threat Research)
-date: 2020/05/03
-description: Detects the image load of Python Core indicative of a Python script bundled
- with Py2Exe.
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Description: Python Core
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Legit Py2Exe Binaries
-fields:
-- Description
-id: cbb56d62-4060-40f7-9466-d8aaf3123f83
-level: medium
-logsource:
- category: image_load
- product: windows
-modified: 2021/05/12
-references:
-- https://www.py2exe.org/
-- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1027.002
-yml_filename: sysmon_susp_python_image_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_rdp.yml b/rules/alert-rules/sigma/sysmon_susp_rdp.yml
deleted file mode 100644
index d2d716c1..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_rdp.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-title: Suspicious Outbound RDP Connections
-author: Markus Neis - Swisscom
-date: 2019/05/15
-description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible
- lateral movement
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_10:
- Image: '*\RemoteDesktopManagerFree.exe'
- SELECTION_11:
- Image: '*\RemoteDesktopManager.exe'
- SELECTION_12:
- Image: '*\RemoteDesktopManager64.exe'
- SELECTION_13:
- Image: '*\mRemoteNG.exe'
- SELECTION_14:
- Image: '*\mRemote.exe'
- SELECTION_15:
- Image: '*\Terminals.exe'
- SELECTION_16:
- Image: '*\spiceworks-finder.exe'
- SELECTION_17:
- Image: '*\FSDiscovery.exe'
- SELECTION_18:
- Image: '*\FSAssessment.exe'
- SELECTION_19:
- Image: '*\MobaRTE.exe'
- SELECTION_2:
- DestinationPort: 3389
- SELECTION_20:
- Image: '*\chrome.exe'
- SELECTION_21:
- Image: '*\System32\dns.exe'
- SELECTION_22:
- Image: '*\thor.exe'
- SELECTION_23:
- Image: '*\thor64.exe'
- SELECTION_3:
- Initiated: 'true'
- SELECTION_4:
- Image: '*\mstsc.exe'
- SELECTION_5:
- Image: '*\RTSApp.exe'
- SELECTION_6:
- Image: '*\RTS2App.exe'
- SELECTION_7:
- Image: '*\RDCMan.exe'
- SELECTION_8:
- Image: '*\ws_TunnelService.exe'
- SELECTION_9:
- Image: '*\RSSensor.exe'
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4
- or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
- or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
- or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
- or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23)))
-falsepositives:
-- Other Remote Desktop RDP tools
-- domain controller using dns.exe
-id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
-level: high
-logsource:
- category: network_connection
- product: windows
-modified: 2020/08/24
-references:
-- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
-status: experimental
-tags:
-- attack.lateral_movement
-- attack.t1021.001
-- attack.t1076
-- car.2013-07-002
-yml_filename: sysmon_susp_rdp.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_reg_persist_explorer_run.yml b/rules/alert-rules/sigma/sysmon_susp_reg_persist_explorer_run.yml
deleted file mode 100644
index a55398bd..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_reg_persist_explorer_run.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-title: Registry Persistence via Explorer Run Key
-author: Florian Roth, oscd.community
-date: 2018/07/18
-description: Detects a possible persistence mechanism using RUN key for Windows Explorer
- and pointing to a suspicious folder
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- Details: C:\Users\Default\\*
- SELECTION_11:
- Details: '*\AppData\\*'
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
- SELECTION_5:
- Details: C:\Windows\Temp\\*
- SELECTION_6:
- Details: C:\ProgramData\\*
- SELECTION_7:
- Details: C:\$Recycle.bin\\*
- SELECTION_8:
- Details: C:\Temp\\*
- SELECTION_9:
- Details: C:\Users\Public\\*
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and ((SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
- or (SELECTION_11)))
-falsepositives:
-- Unknown
-fields:
-- Image
-- ParentImage
-id: b7916c2a-fa2f-4795-9477-32b731f70f11
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2020/09/06
-references:
-- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
-status: experimental
-tags:
-- attack.persistence
-- attack.t1060
-- attack.t1547.001
-yml_filename: sysmon_susp_reg_persist_explorer_run.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_run_key_img_folder.yml b/rules/alert-rules/sigma/sysmon_susp_run_key_img_folder.yml
deleted file mode 100644
index 94260fc6..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_run_key_img_folder.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-title: New RUN Key Pointing to Suspicious Folder
-author: Florian Roth, Markus Neis, Sander Wiebing
-date: 2018/08/25
-description: Detects suspicious new RUN key element pointing to an executable in a
- suspicious folder
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- Details: '*C:\Users\Default\\*'
- SELECTION_11:
- Details: '*C:\Users\Desktop\\*'
- SELECTION_12:
- Details: '*\AppData\Local\Temp\\*'
- SELECTION_13:
- Details: '%Public%\\*'
- SELECTION_14:
- Details: wscript*
- SELECTION_15:
- Details: cscript*
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
- SELECTION_5:
- TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
- SELECTION_6:
- Details: '*C:\Windows\Temp\\*'
- SELECTION_7:
- Details: '*C:\$Recycle.bin\\*'
- SELECTION_8:
- Details: '*C:\Temp\\*'
- SELECTION_9:
- Details: '*C:\Users\Public\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
- and ((SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12) or (SELECTION_13 or SELECTION_14 or SELECTION_15)))
-falsepositives:
-- Software using weird folders for updates
-fields:
-- Image
-id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/10/30
-references:
-- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
-status: experimental
-tags:
-- attack.persistence
-- attack.t1060
-- attack.t1547.001
-yml_filename: sysmon_susp_run_key_img_folder.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_script_dotnet_clr_dll_load.yml
deleted file mode 100644
index d1e6cfd4..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_script_dotnet_clr_dll_load.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: CLR DLL Loaded Via Scripting Applications
-author: omkar72, oscd.community
-date: 2020/10/14
-description: Detects CLR DLL being loaded by an scripting applications
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\wscript.exe'
- SELECTION_3:
- Image: '*\cscript.exe'
- SELECTION_4:
- Image: '*\mshta.exe'
- SELECTION_5:
- ImageLoaded: '*\clr.dll'
- SELECTION_6:
- ImageLoaded: '*\mscoree.dll'
- SELECTION_7:
- ImageLoaded: '*\mscorlib.dll'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and (SELECTION_5
- or SELECTION_6 or SELECTION_7))
-falsepositives:
-- unknown
-id: 4508a70e-97ef-4300-b62b-ff27992990ea
-level: high
-logsource:
- category: image_load
- product: windows
-references:
-- https://github.com/tyranid/DotNetToJScript
-- https://thewover.github.io/Introducing-Donut/
-- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
-status: experimental
-tags:
-- attack.execution
-- attack.privilege_escalation
-- attack.t1055
-yml_filename: sysmon_susp_script_dotnet_clr_dll_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_service_installed.yml b/rules/alert-rules/sigma/sysmon_susp_service_installed.yml
deleted file mode 100644
index ae307432..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_service_installed.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-title: Suspicious Service Installed
-author: xknow (@xknow_infosec), xorxes (@xor_xes)
-date: 2019/04/08
-description: Detects installation of NalDrv or PROCEXP152 services via registry-keys
- to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs
- (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- Details: '*\WINDOWS\system32\Drivers\PROCEXP152.SYS*'
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath
- SELECTION_5:
- TargetObject: HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath
- SELECTION_6:
- Image: '*\procexp64.exe'
- SELECTION_7:
- Image: '*\procexp.exe'
- SELECTION_8:
- Image: '*\procmon64.exe'
- SELECTION_9:
- Image: '*\procmon.exe'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 or SELECTION_5)
- and not ((SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))) and not
- ((SELECTION_10)))
-falsepositives:
-- Other legimate tools using this service names and drivers. Note - clever attackers
- may easily bypass this detection by just renaming the services. Therefore just
- Medium-level and don't rely on it.
-id: f2485272-a156-4773-82d7-1d178bc4905b
-level: medium
-logsource:
- category: registry_event
- product: windows
-references:
-- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
-status: experimental
-tags:
-- attack.t1089
-- attack.t1562.001
-- attack.defense_evasion
-yml_filename: sysmon_susp_service_installed.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_service_modification.yml b/rules/alert-rules/sigma/sysmon_susp_service_modification.yml
deleted file mode 100644
index 5a3b45d7..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_service_modification.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Stop Or Remove Antivirus Service
-author: frack113
-date: 2021/07/07
-description: Adversaries may disable security tools to avoid possible detection of
- their tools and activities by stopping antivirus service
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*Stop-Service *'
- SELECTION_3:
- CommandLine: '*Remove-Service *'
- SELECTION_4:
- CommandLine: '* McAfeeDLPAgentService*'
- SELECTION_5:
- CommandLine: '* Trend Micro Deep Security Manager*'
- SELECTION_6:
- CommandLine: '* TMBMServer*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
- or SELECTION_6))
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562.001
-yml_filename: sysmon_susp_service_modification.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_system_drawing_load.yml b/rules/alert-rules/sigma/sysmon_susp_system_drawing_load.yml
deleted file mode 100644
index d2452005..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_system_drawing_load.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Suspicious System.Drawing Load
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A General detection for processes loading System.Drawing.ni.dll. This
- could be an indicator of potential Screen Capture.
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- ImageLoaded: '*\System.Drawing.ni.dll'
- SELECTION_3:
- Image: '*\WmiPrvSE.exe'
- condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
-falsepositives:
-- unknown
-id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
-level: medium
-logsource:
- category: image_load
- product: windows
-references:
-- https://github.com/OTRF/detection-hackathon-apt29/issues/16
-- https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html
-status: experimental
-tags:
-- attack.collection
-- attack.t1113
-yml_filename: sysmon_susp_system_drawing_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_webdav_client_execution.yml b/rules/alert-rules/sigma/sysmon_susp_webdav_client_execution.yml
deleted file mode 100644
index afc94791..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_webdav_client_execution.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Suspicious WebDav Client Execution
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A General detection for svchost.exe spawning rundll32.exe with command
- arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an
- indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\rundll32.exe'
- SELECTION_3:
- CommandLine: '*C:\windows\system32\davclnt.dll,DavSetCookie*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- unknown
-id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/OTRF/detection-hackathon-apt29/issues/17
-- https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html
-status: experimental
-tags:
-- attack.exfiltration
-- attack.t1048.003
-yml_filename: sysmon_susp_webdav_client_execution.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_winword_vbadll_load.yml b/rules/alert-rules/sigma/sysmon_susp_winword_vbadll_load.yml
deleted file mode 100644
index f2259fec..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_winword_vbadll_load.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: VBA DLL Loaded Via Microsoft Word
-author: Antonlovesdnb
-date: 2020/02/19
-description: Detects DLL's Loaded Via Word Containing VBA Macros
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\winword.exe'
- SELECTION_3:
- Image: '*\powerpnt.exe'
- SELECTION_4:
- Image: '*\excel.exe'
- SELECTION_5:
- Image: '*\outlook.exe'
- SELECTION_6:
- ImageLoaded: '*\VBE7.DLL'
- SELECTION_7:
- ImageLoaded: '*\VBEUI.DLL'
- SELECTION_8:
- ImageLoaded: '*\VBE7INTL.DLL'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- and (SELECTION_6 or SELECTION_7 or SELECTION_8))
-falsepositives:
-- Alerts on legitimate macro usage as well, will need to filter as appropriate
-id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2020/08/23
-references:
-- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-status: experimental
-tags:
-- attack.execution
-- attack.t1204
-- attack.t1204.002
-yml_filename: sysmon_susp_winword_vbadll_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_winword_wmidll_load.yml b/rules/alert-rules/sigma/sysmon_susp_winword_wmidll_load.yml
deleted file mode 100644
index 126874d3..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_winword_wmidll_load.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Windows Management Instrumentation DLL Loaded Via Microsoft Word
-author: Michael R. (@nahamike01)
-date: 2019/12/26
-description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_10:
- ImageLoaded: '*\wbemsvc.dll'
- SELECTION_2:
- Image: '*\winword.exe'
- SELECTION_3:
- Image: '*\powerpnt.exe'
- SELECTION_4:
- Image: '*\excel.exe'
- SELECTION_5:
- Image: '*\outlook.exe'
- SELECTION_6:
- ImageLoaded: '*\wmiutils.dll'
- SELECTION_7:
- ImageLoaded: '*\wbemcomn.dll'
- SELECTION_8:
- ImageLoaded: '*\wbemprox.dll'
- SELECTION_9:
- ImageLoaded: '*\wbemdisp.dll'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- and (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10))
-falsepositives:
-- Possible. Requires further testing.
-id: a457f232-7df9-491d-898f-b5aabd2cbe2f
-level: high
-logsource:
- category: image_load
- product: windows
-references:
-- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/
-- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf
-status: experimental
-tags:
-- attack.execution
-- attack.t1047
-yml_filename: sysmon_susp_winword_wmidll_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/alert-rules/sigma/sysmon_susp_wmi_consumer_namedpipe.yml
deleted file mode 100644
index d240997d..00000000
--- a/rules/alert-rules/sigma/sysmon_susp_wmi_consumer_namedpipe.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: WMI Event Consumer Created Named Pipe
-author: Florian Roth
-date: 2021/09/01
-description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe
-detection:
- SELECTION_1:
- EventID: 17
- SELECTION_2:
- EventID: 18
- SELECTION_3:
- Image: '*\scrcons.exe'
- condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
-falsepositives:
-- Unknown
-id: 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb
-level: high
-logsource:
- category: pipe_created
- definition: Note that you have to configure logging for Named Pipe Events in Sysmon
- config (Event ID 17 and Event ID 18). The basic configuration is in popular
- sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
- it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
- https://github.com/olafhartong/sysmon-modular. How to test detection? You
- can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- product: windows
-references:
-- https://github.com/RiccardoAncarani/LiquidSnake
-status: experimental
-yml_filename: sysmon_susp_wmi_consumer_namedpipe.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
-
diff --git a/rules/alert-rules/sigma/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/alert-rules/sigma/sysmon_suspicious_dbghelp_dbgcore_load.yml
deleted file mode 100644
index 3ddd40c1..00000000
--- a/rules/alert-rules/sigma/sysmon_suspicious_dbghelp_dbgcore_load.yml
+++ /dev/null
@@ -1,99 +0,0 @@
-title: Load of dbghelp/dbgcore DLL from Suspicious Process
-author: Perez Diego (@darkquassar), oscd.community, Ecco
-date: 2019/10/27
-description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by
- suspicious processes. Tools like ProcessHacker and some attacker tradecract use
- MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity
- C2 Framework has a module that leverages this API to dump the contents of Lsass.exe
- and transfer it over the network back to the attacker's machine.
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_10:
- Image: '*\excel.exe'
- SELECTION_11:
- Image: '*\powerpnt.exe'
- SELECTION_12:
- Image: '*\outlook.exe'
- SELECTION_13:
- Image: '*\monitoringhost.exe'
- SELECTION_14:
- Image: '*\wmic.exe'
- SELECTION_15:
- Image: '*\bash.exe'
- SELECTION_16:
- Image: '*\wscript.exe'
- SELECTION_17:
- Image: '*\cscript.exe'
- SELECTION_18:
- Image: '*\mshta.exe'
- SELECTION_19:
- Image: '*\regsvr32.exe'
- SELECTION_2:
- ImageLoaded: '*\dbghelp.dll'
- SELECTION_20:
- Image: '*\schtasks.exe'
- SELECTION_21:
- Image: '*\dnx.exe'
- SELECTION_22:
- Image: '*\regsvcs.exe'
- SELECTION_23:
- Image: '*\sc.exe'
- SELECTION_24:
- Image: '*\scriptrunner.exe'
- SELECTION_25:
- Image: '*Visual Studio*'
- SELECTION_26:
- ImageLoaded: '*\dbghelp.dll'
- SELECTION_27:
- ImageLoaded: '*\dbgcore.dll'
- SELECTION_28:
- Signed: 'FALSE'
- SELECTION_29:
- Image: '*Visual Studio*'
- SELECTION_3:
- ImageLoaded: '*\dbgcore.dll'
- SELECTION_4:
- Image: '*\msbuild.exe'
- SELECTION_5:
- Image: '*\cmd.exe'
- SELECTION_6:
- Image: '*\svchost.exe'
- SELECTION_7:
- Image: '*\rundll32.exe'
- SELECTION_8:
- Image: '*\powershell.exe'
- SELECTION_9:
- Image: '*\word.exe'
- condition: (SELECTION_1 and ((((SELECTION_2 or SELECTION_3) and (SELECTION_4 or
- SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or
- SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
- or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
- or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24))
- and not (SELECTION_25)) or (((SELECTION_26 or SELECTION_27) and SELECTION_28)
- and not (SELECTION_29))))
-falsepositives:
-- Penetration tests
-fields:
-- ComputerName
-- User
-- Image
-- ImageLoaded
-id: 0e277796-5f23-4e49-a490-483131d4f6e1
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2020/08/23
-references:
-- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
-- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
-- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.001
-yml_filename: sysmon_suspicious_dbghelp_dbgcore_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_suspicious_keyboard_layout_load.yml b/rules/alert-rules/sigma/sysmon_suspicious_keyboard_layout_load.yml
deleted file mode 100644
index 8d37535b..00000000
--- a/rules/alert-rules/sigma/sysmon_suspicious_keyboard_layout_load.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Suspicious Keyboard Layout Load
-author: Florian Roth
-date: 2019/10/12
-description: Detects the keyboard preload installation with a suspicious keyboard
- layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems
- maintained by US staff only
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Keyboard Layout\Preload\\*'
- SELECTION_5:
- TargetObject: '*\Keyboard Layout\Substitutes\\*'
- SELECTION_6:
- Details: '*00000429*'
- SELECTION_7:
- Details: '*00050429*'
- SELECTION_8:
- Details: '*0000042a*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
- and (SELECTION_6 or SELECTION_7 or SELECTION_8))
-falsepositives:
-- Administrators or users that actually use the selected keyboard layouts (heavily
- depends on the organisation's user base)
-id: 34aa0252-6039-40ff-951f-939fd6ce47d8
-level: medium
-logsource:
- category: registry_event
- definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload
- subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
- product: windows
-modified: 2019/10/15
-references:
-- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
-- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
-tags:
-- attack.resource_development
-- attack.t1588.002
-yml_filename: sysmon_suspicious_keyboard_layout_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/alert-rules/sigma/sysmon_suspicious_outbound_kerberos_connection.yml
deleted file mode 100644
index 06f07681..00000000
--- a/rules/alert-rules/sigma/sysmon_suspicious_outbound_kerberos_connection.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: Suspicious Outbound Kerberos Connection
-author: Ilyas Ochkov, oscd.community
-date: 2019/10/24
-description: Detects suspicious outbound network activity via kerberos default port
- indicating possible lateral movement or first stage PrivEsc via delegation.
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_2:
- DestinationPort: 88
- SELECTION_3:
- Initiated: 'true'
- SELECTION_4:
- Image: '*\lsass.exe'
- SELECTION_5:
- Image: '*\opera.exe'
- SELECTION_6:
- Image: '*\chrome.exe'
- SELECTION_7:
- Image: '*\firefox.exe'
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4
- or SELECTION_5 or SELECTION_6 or SELECTION_7)))
-falsepositives:
-- Other browsers
-id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
-level: high
-logsource:
- category: network_connection
- product: windows
-modified: 2020/08/24
-references:
-- https://github.com/GhostPack/Rubeus
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1558
-- attack.t1208
-- attack.lateral_movement
-- attack.t1550.003
-- attack.t1097
-yml_filename: sysmon_suspicious_outbound_kerberos_connection.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_suspicious_powershell_profile_create.yml b/rules/alert-rules/sigma/sysmon_suspicious_powershell_profile_create.yml
deleted file mode 100644
index db63e1cd..00000000
--- a/rules/alert-rules/sigma/sysmon_suspicious_powershell_profile_create.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Powershell Profile.ps1 Modification
-author: HieuTT35
-date: 2019/10/24
-description: Detects a change in profile.ps1 of the Powershell profile
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*\profile.ps1*'
- SELECTION_3:
- TargetFilename: '*\My Documents\PowerShell\\*'
- SELECTION_4:
- TargetFilename: '*C:\Windows\System32\WindowsPowerShell\v1.0\\*'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- System administrator create Powershell profile manually
-id: b5b78988-486d-4a80-b991-930eff3ff8bf
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2020/08/24
-references:
-- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
-status: experimental
-tags:
-- attack.persistence
-- attack.privilege_escalation
-- attack.t1546.013
-yml_filename: sysmon_suspicious_powershell_profile_create.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_suspicious_remote_thread.yml b/rules/alert-rules/sigma/sysmon_suspicious_remote_thread.yml
deleted file mode 100644
index 293d392a..00000000
--- a/rules/alert-rules/sigma/sysmon_suspicious_remote_thread.yml
+++ /dev/null
@@ -1,144 +0,0 @@
-title: Suspicious Remote Thread Created
-author: Perez Diego (@darkquassar), oscd.community
-date: 2019/10/27
-description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread",
- however, this is still largely observed in the wild. This rule aims to detect
- suspicious processes (those we would not expect to behave in this way like word.exe
- or outlook.exe) creating remote threads on other processes. It is a generalistic
- rule, but it should have a low FP ratio due to the selected range of processes.
-detection:
- SELECTION_1:
- EventID: 8
- SELECTION_10:
- SourceImage: '*\find.exe'
- SELECTION_11:
- SourceImage: '*\findstr.exe'
- SELECTION_12:
- SourceImage: '*\forfiles.exe'
- SELECTION_13:
- SourceImage: '*\git.exe'
- SELECTION_14:
- SourceImage: '*\gpupdate.exe'
- SELECTION_15:
- SourceImage: '*\hh.exe'
- SELECTION_16:
- SourceImage: '*\iexplore.exe'
- SELECTION_17:
- SourceImage: '*\installutil.exe'
- SELECTION_18:
- SourceImage: '*\lync.exe'
- SELECTION_19:
- SourceImage: '*\makecab.exe'
- SELECTION_2:
- SourceImage: '*\bash.exe'
- SELECTION_20:
- SourceImage: '*\mDNSResponder.exe'
- SELECTION_21:
- SourceImage: '*\monitoringhost.exe'
- SELECTION_22:
- SourceImage: '*\msbuild.exe'
- SELECTION_23:
- SourceImage: '*\mshta.exe'
- SELECTION_24:
- SourceImage: '*\msiexec.exe'
- SELECTION_25:
- SourceImage: '*\mspaint.exe'
- SELECTION_26:
- SourceImage: '*\outlook.exe'
- SELECTION_27:
- SourceImage: '*\ping.exe'
- SELECTION_28:
- SourceImage: '*\powerpnt.exe'
- SELECTION_29:
- SourceImage: '*\powershell.exe'
- SELECTION_3:
- SourceImage: '*\cvtres.exe'
- SELECTION_30:
- SourceImage: '*\provtool.exe'
- SELECTION_31:
- SourceImage: '*\python.exe'
- SELECTION_32:
- SourceImage: '*\regsvr32.exe'
- SELECTION_33:
- SourceImage: '*\robocopy.exe'
- SELECTION_34:
- SourceImage: '*\runonce.exe'
- SELECTION_35:
- SourceImage: '*\sapcimc.exe'
- SELECTION_36:
- SourceImage: '*\schtasks.exe'
- SELECTION_37:
- SourceImage: '*\smartscreen.exe'
- SELECTION_38:
- SourceImage: '*\spoolsv.exe'
- SELECTION_39:
- SourceImage: '*\tstheme.exe'
- SELECTION_4:
- SourceImage: '*\defrag.exe'
- SELECTION_40:
- SourceImage: '*\userinit.exe'
- SELECTION_41:
- SourceImage: '*\vssadmin.exe'
- SELECTION_42:
- SourceImage: '*\vssvc.exe'
- SELECTION_43:
- SourceImage: '*\w3wp.exe'
- SELECTION_44:
- SourceImage: '*\winlogon.exe'
- SELECTION_45:
- SourceImage: '*\winscp.exe'
- SELECTION_46:
- SourceImage: '*\wmic.exe'
- SELECTION_47:
- SourceImage: '*\word.exe'
- SELECTION_48:
- SourceImage: '*\wscript.exe'
- SELECTION_49:
- SourceImage: '*Visual Studio*'
- SELECTION_5:
- SourceImage: '*\dnx.exe'
- SELECTION_6:
- SourceImage: '*\esentutl.exe'
- SELECTION_7:
- SourceImage: '*\excel.exe'
- SELECTION_8:
- SourceImage: '*\expand.exe'
- SELECTION_9:
- SourceImage: '*\explorer.exe'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
- or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
- or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
- or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
- or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
- or SELECTION_46 or SELECTION_47 or SELECTION_48) and not (SELECTION_49))
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- User
-- SourceImage
-- TargetImage
-id: 66d31e5f-52d6-40a4-9615-002d3789a119
-level: high
-logsource:
- category: create_remote_thread
- product: windows
-modified: 2021/06/27
-notes:
-- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite
- for process injection for .NET in-memory offensive tools.
-references:
-- Personal research, statistical analysis
-- https://lolbas-project.github.io
-status: experimental
-tags:
-- attack.privilege_escalation
-- attack.defense_evasion
-- attack.t1055
-yml_filename: sysmon_suspicious_remote_thread.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
-
diff --git a/rules/alert-rules/sigma/sysmon_svchost_cred_dump.yml b/rules/alert-rules/sigma/sysmon_svchost_cred_dump.yml
deleted file mode 100644
index c97584fa..00000000
--- a/rules/alert-rules/sigma/sysmon_svchost_cred_dump.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: SVCHOST Credential Dump
-author: Florent Labouyrie
-date: 2021/04/30
-description: Detects when a process, such as mimikatz, accesses the memory of svchost
- to dump credentials
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- TargetImage: '*\svchost.exe'
- SELECTION_3:
- GrantedAccess: '0x143a'
- SELECTION_4:
- SourceImage: '*\services.exe'
- SELECTION_5:
- SourceImage: '*\msiexec.exe'
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4
- or SELECTION_5)))
-falsepositives:
-- Non identified legit exectubale
-id: 174afcfa-6e40-4ae9-af64-496546389294
-level: critical
-logsource:
- category: process_access
- product: windows
-tags:
-- attack.t1548
-yml_filename: sysmon_svchost_cred_dump.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_svchost_dll_search_order_hijack.yml b/rules/alert-rules/sigma/sysmon_svchost_dll_search_order_hijack.yml
deleted file mode 100644
index a0681d0b..00000000
--- a/rules/alert-rules/sigma/sysmon_svchost_dll_search_order_hijack.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: Svchost DLL Search Order Hijack
-author: SBousseaden
-date: 2019/10/28
-description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that
- do not exist within C:\Windows\System32\ by default. An attacker can place their
- malicious logic within the PROCESS_ATTACH block of their library and restart the
- aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote
- machine.
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\svchost.exe'
- SELECTION_3:
- ImageLoaded: '*\tsmsisrv.dll'
- SELECTION_4:
- ImageLoaded: '*\tsvipsrv.dll'
- SELECTION_5:
- ImageLoaded: '*\wlbsctrl.dll'
- SELECTION_6:
- ImageLoaded: C:\Windows\WinSxS\\*
- condition: (SELECTION_1 and ((SELECTION_2) and (SELECTION_3 or SELECTION_4 or
- SELECTION_5)) and not ((SELECTION_6)))
-falsepositives:
-- Pentest
-id: 602a1f13-c640-4d73-b053-be9a2fa58b77
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2020/08/23
-references:
-- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
-status: experimental
-tags:
-- attack.persistence
-- attack.defense_evasion
-- attack.t1073
-- attack.t1574.002
-- attack.t1038
-- attack.t1574.001
-yml_filename: sysmon_svchost_dll_search_order_hijack.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/alert-rules/sigma/sysmon_sysinternals_sdelete_file_deletion.yml
deleted file mode 100644
index 597865e3..00000000
--- a/rules/alert-rules/sigma/sysmon_sysinternals_sdelete_file_deletion.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Sysinternals SDelete File Deletion
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A General detection to trigger for the deletion of files by Sysinternals
- SDelete. It looks for the common name pattern used to rename files.
-detection:
- SELECTION_1:
- EventID: 23
- SELECTION_2:
- EventID: 26
- SELECTION_3:
- TargetFilename: '*.AAA'
- SELECTION_4:
- TargetFilename: '*.ZZZ'
- condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- Legitime usage of SDelete
-id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
-level: medium
-logsource:
- category: file_delete
- product: windows
-references:
-- https://github.com/OTRF/detection-hackathon-apt29/issues/9
-- https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1070.004
-yml_filename: sysmon_sysinternals_sdelete_file_deletion.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_delete
-
diff --git a/rules/alert-rules/sigma/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/alert-rules/sigma/sysmon_sysinternals_sdelete_registry_keys.yml
deleted file mode 100644
index 8e44b9b5..00000000
--- a/rules/alert-rules/sigma/sysmon_sysinternals_sdelete_registry_keys.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Sysinternals SDelete Registry Keys
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete
- registry keys. Indicators of the use of Sysinternals SDelete tool.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Software\Sysinternals\SDelete*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- unknown
-id: 9841b233-8df8-4ad7-9133-b0b4402a9014
-level: medium
-logsource:
- category: registry_event
- product: windows
-modified: 2021/05/12
-references:
-- https://github.com/OTRF/detection-hackathon-apt29/issues/9
-- https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1070.004
-yml_filename: sysmon_sysinternals_sdelete_registry_keys.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_taskcache_entry.yml b/rules/alert-rules/sigma/sysmon_taskcache_entry.yml
deleted file mode 100644
index c91f0840..00000000
--- a/rules/alert-rules/sigma/sysmon_taskcache_entry.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: New TaskCache Entry
-author: Syed Hasan (@syedhasan009)
-date: 2021/06/18
-description: Monitor the creation of a new key under 'TaskCache' when a new scheduled
- task is registered
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- EventType: SetValue
- SELECTION_5:
- TargetObject: '*SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
-falsepositives:
-- Unknown
-id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
-level: medium
-logsource:
- category: registry_event
- product: windows
-modified: 2021/07/27
-references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-tags:
-- attack.persistence
-- attack.t1053
-- attack.t1053.005
-yml_filename: sysmon_taskcache_entry.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_tsclient_filewrite_startup.yml b/rules/alert-rules/sigma/sysmon_tsclient_filewrite_startup.yml
deleted file mode 100644
index 7314e677..00000000
--- a/rules/alert-rules/sigma/sysmon_tsclient_filewrite_startup.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Hijack Legit RDP Session to Move Laterally
-author: Samir Bousseaden
-date: 2019/02/21
-description: Detects the usage of tsclient share to place a backdoor on the RDP source
- machine's startup folder
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- Image: '*\mstsc.exe'
- SELECTION_3:
- TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- unknown
-id: 52753ea4-b3a0-4365-910d-36cff487b789
-level: high
-logsource:
- category: file_event
- product: windows
-status: experimental
-tags:
-- attack.command_and_control
-- attack.t1219
-yml_filename: sysmon_tsclient_filewrite_startup.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_tttracer_mod_load.yml b/rules/alert-rules/sigma/sysmon_tttracer_mod_load.yml
deleted file mode 100644
index 671a76fd..00000000
--- a/rules/alert-rules/sigma/sysmon_tttracer_mod_load.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Time Travel Debugging Utility Usage
-author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative"
-date: 2020/10/06
-description: Detects usage of Time Travel Debugging Utility. Adversaries can execute
- malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- ImageLoaded: '*\ttdrecord.dll'
- SELECTION_3:
- ImageLoaded: '*\ttdwriter.dll'
- SELECTION_4:
- ImageLoaded: '*\ttdloader.dll'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
-falsepositives:
-- Legitimate usage by software developers/testers
-id: e76c8240-d68f-4773-8880-5c6f63595aaf
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2021/09/21
-references:
-- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
-- https://twitter.com/mattifestation/status/1196390321783025666
-- https://twitter.com/oulusoyum/status/1191329746069655553
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.credential_access
-- attack.t1218
-- attack.t1003.001
-yml_filename: sysmon_tttracer_mod_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_uac_bypass_consent_comctl32.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_consent_comctl32.yml
deleted file mode 100644
index ecb9722c..00000000
--- a/rules/alert-rules/sigma/sysmon_uac_bypass_consent_comctl32.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: UAC Bypass Using Consent and Comctl32 - File
-author: Christian Burkard
-date: 2021/08/23
-description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll
- (UACMe 22)
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: C:\Windows\System32\consent.exe.@*
- SELECTION_3:
- TargetFilename: '*\comctl32.dll'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: sysmon_uac_bypass_consent_comctl32.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_uac_bypass_dotnet_profiler.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_dotnet_profiler.yml
deleted file mode 100644
index e74b346e..00000000
--- a/rules/alert-rules/sigma/sysmon_uac_bypass_dotnet_profiler.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: UAC Bypass Using .NET Code Profiler on MMC
-author: Christian Burkard
-date: 2021/08/30
-description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe
- DLL hijacking (UACMe 39)
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: C:\Users\\*
- SELECTION_3:
- TargetFilename: '*\AppData\Local\Temp\pe386.dll'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 93a19907-d4f9-4deb-9f91-aac4692776a6
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: sysmon_uac_bypass_dotnet_profiler.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_uac_bypass_ieinstal.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_ieinstal.yml
deleted file mode 100644
index d1f02441..00000000
--- a/rules/alert-rules/sigma/sysmon_uac_bypass_ieinstal.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: UAC Bypass Using IEInstal - File
-author: Christian Burkard
-date: 2021/08/30
-description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- Image: C:\Program Files\Internet Explorer\IEInstal.exe
- SELECTION_3:
- TargetFilename: C:\Users\\*
- SELECTION_4:
- TargetFilename: '*\AppData\Local\Temp\\*'
- SELECTION_5:
- TargetFilename: '*consent.exe'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
-falsepositives:
-- Unknown
-id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: sysmon_uac_bypass_ieinstal.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_uac_bypass_msconfig_gui.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_msconfig_gui.yml
deleted file mode 100644
index 8e96834b..00000000
--- a/rules/alert-rules/sigma/sysmon_uac_bypass_msconfig_gui.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: UAC Bypass Using MSConfig Token Modification - File
-author: Christian Burkard
-date: 2021/08/30
-description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: C:\Users\\*
- SELECTION_3:
- TargetFilename: '*\AppData\Local\Temp\pkgmgr.exe'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 41bb431f-56d8-4691-bb56-ed34e390906f
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: sysmon_uac_bypass_msconfig_gui.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_ntfs_reparse_point.yml
deleted file mode 100644
index 8b695308..00000000
--- a/rules/alert-rules/sigma/sysmon_uac_bypass_ntfs_reparse_point.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: UAC Bypass Using NTFS Reparse Point - File
-author: Christian Burkard
-date: 2021/08/30
-description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe
- DLL hijacking (UACMe 36)
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: C:\Users\\*
- SELECTION_3:
- TargetFilename: '*\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
-level: high
-logsource:
- category: file_event
- product: windows
-references:
-- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: sysmon_uac_bypass_ntfs_reparse_point.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_uac_bypass_sdclt.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_sdclt.yml
deleted file mode 100644
index 3a4485c1..00000000
--- a/rules/alert-rules/sigma/sysmon_uac_bypass_sdclt.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: UAC Bypass via Sdclt
-author: Omer Yampel, Christian Burkard
-date: 2017/03/17
-description: Detects the pattern of UAC Bypass using registry key manipulation of
- sdclt.exe (e.g. UACMe 53)
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*Software\Classes\exefile\shell\runas\command\isolatedCommand'
- SELECTION_5:
- TargetObject: '*Software\Classes\Folder\shell\open\command\SymbolicLinkValue'
- SELECTION_6:
- Details: '*-1???\Software\Classes\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or (SELECTION_5
- and SELECTION_6)))
-falsepositives:
-- unknown
-id: 5b872a46-3b90-45c1-8419-f675db8053aa
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/17
-references:
-- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
-- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1088
-- attack.t1548.002
-- car.2019-04-001
-yml_filename: sysmon_uac_bypass_sdclt.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_uac_bypass_shell_open.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_shell_open.yml
deleted file mode 100644
index c3a67949..00000000
--- a/rules/alert-rules/sigma/sysmon_uac_bypass_shell_open.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-title: UAC Bypass Using Registry Shell Open Keys
-author: Christian Burkard
-date: 2021/08/30
-description: Detects the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe,
- slui.exe via registry keys (e.g. UACMe 33 or 62)
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- TargetObject: '*Classes\ms-settings\shell\open\command\(Default)'
- SELECTION_11:
- TargetObject: '*Classes\exefile\shell\open\command\(Default)'
- SELECTION_12:
- Details: (Empty)
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*Classes\ms-settings\shell\open\command\SymbolicLinkValue'
- SELECTION_5:
- Details: '*\Software\Classes\{*'
- SELECTION_6:
- TargetObject: '*Classes\ms-settings\shell\open\command\DelegateExecute'
- SELECTION_7:
- EventID: 12
- SELECTION_8:
- EventID: 13
- SELECTION_9:
- EventID: 14
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (((SELECTION_4 and
- SELECTION_5) or SELECTION_6) or ((SELECTION_7 or SELECTION_8 or SELECTION_9)
- and (SELECTION_10 or SELECTION_11) and not (SELECTION_12))))
-falsepositives:
-- Unknown
-id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/09/17
-references:
-- https://github.com/hfiref0x/UACME
-- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
-- https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: sysmon_uac_bypass_shell_open.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_uac_bypass_via_dism.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_via_dism.yml
deleted file mode 100644
index a1431719..00000000
--- a/rules/alert-rules/sigma/sysmon_uac_bypass_via_dism.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: UAC Bypass With Fake DLL
-author: oscd.community, Dmitry Uchakin
-date: 2020/10/06
-description: Attempts to load dismcore.dll after dropping it
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\dism.exe'
- SELECTION_3:
- ImageLoaded: '*\dismcore.dll'
- condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3))
-falsepositives:
-- Pentests
-- Actions of a legitimate telnet client
-id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
-level: high
-logsource:
- category: image_load
- product: windows
-references:
-- https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
-status: experimental
-tags:
-- attack.persistence
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-- attack.t1574.002
-yml_filename: sysmon_uac_bypass_via_dism.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_uac_bypass_wow64_logger.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_wow64_logger.yml
deleted file mode 100644
index 1e8d3e41..00000000
--- a/rules/alert-rules/sigma/sysmon_uac_bypass_wow64_logger.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: UAC Bypass Using WOW64 Logger DLL Hijack
-author: Christian Burkard
-date: 2021/08/23
-description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe
- 30)
-detection:
- SELECTION_1:
- EventID: 10
- SELECTION_2:
- SourceImage: '*:\Windows\SysWOW64\\*'
- SELECTION_3:
- GrantedAccess: '0x1fffff'
- SELECTION_4:
- CallTrace: UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|*
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
-level: high
-logsource:
- category: process_access
- product: windows
-references:
-- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-yml_filename: sysmon_uac_bypass_wow64_logger.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
-
diff --git a/rules/alert-rules/sigma/sysmon_uipromptforcreds_dlls.yml b/rules/alert-rules/sigma/sysmon_uipromptforcreds_dlls.yml
deleted file mode 100644
index c7763031..00000000
--- a/rules/alert-rules/sigma/sysmon_uipromptforcreds_dlls.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: UIPromptForCredentials DLLs
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/10/20
-description: Detects potential use of UIPromptForCredentials functions by looking
- for some of the DLLs needed for it.
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- ImageLoaded: '*\credui.dll'
- SELECTION_3:
- ImageLoaded: '*\wincredui.dll'
- SELECTION_4:
- OriginalFileName: credui.dll
- SELECTION_5:
- OriginalFileName: wincredui.dll
- condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 or SELECTION_5)))
-falsepositives:
-- other legitimate processes loading those DLLs in your environment.
-id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
-level: medium
-logsource:
- category: image_load
- product: windows
-references:
-- https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
-- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
-status: experimental
-tags:
-- attack.credential_access
-- attack.collection
-- attack.t1056.002
-yml_filename: sysmon_uipromptforcreds_dlls.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_uninstall_crowdstrike_falcon.yml b/rules/alert-rules/sigma/sysmon_uninstall_crowdstrike_falcon.yml
deleted file mode 100644
index c8f1cdf3..00000000
--- a/rules/alert-rules/sigma/sysmon_uninstall_crowdstrike_falcon.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Uninstall Crowdstrike Falcon
-author: frack113
-date: 2021/07/12
-description: Adversaries may disable security tools to avoid possible detection of
- their tools and activities by uninstalling Crowdstrike Falcon
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*\WindowsSensor.exe*'
- SELECTION_3:
- CommandLine: '* /uninstall*'
- SELECTION_4:
- CommandLine: '* /quiet*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Uninstall by admin
-fields:
-- ComputerName
-- User
-- CommandLine
-- ParentCommandLine
-id: f0f7be61-9cf5-43be-9836-99d6ef448a18
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562.001
-yml_filename: sysmon_uninstall_crowdstrike_falcon.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/alert-rules/sigma/sysmon_unsigned_image_loaded_into_lsass.yml
deleted file mode 100644
index 18569ea9..00000000
--- a/rules/alert-rules/sigma/sysmon_unsigned_image_loaded_into_lsass.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Unsigned Image Loaded Into LSASS Process
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/10/22
-description: Loading unsigned image (DLL, EXE) into LSASS process
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\lsass.exe'
- SELECTION_3:
- Signed: 'false'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Valid user connecting using RDP
-id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
-level: medium
-logsource:
- category: image_load
- product: windows
-modified: 2020/08/23
-references:
-- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.001
-yml_filename: sysmon_unsigned_image_loaded_into_lsass.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_vmtoolsd_susp_child_process.yml b/rules/alert-rules/sigma/sysmon_vmtoolsd_susp_child_process.yml
deleted file mode 100644
index 5c1c7b07..00000000
--- a/rules/alert-rules/sigma/sysmon_vmtoolsd_susp_child_process.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-title: VMToolsd Suspicious Child Process
-author: behops, Bhabesh Raj
-date: 2021/10/08
-description: Detects suspicious child process creations of VMware Tools process which
- may indicate persistence setup
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*\VMware\VMware Tools\poweroff-vm-default.bat*'
- SELECTION_11:
- CommandLine: '*\VMware\VMware Tools\resume-vm-default.bat*'
- SELECTION_12:
- CommandLine: '*\VMware\VMware Tools\suspend-vm-default.bat*'
- SELECTION_2:
- ParentImage: '*\vmtoolsd.exe'
- SELECTION_3:
- Image: '*\cmd.exe'
- SELECTION_4:
- Image: '*\powershell.exe'
- SELECTION_5:
- Image: '*\rundll32.exe'
- SELECTION_6:
- Image: '*\regsvr32.exe'
- SELECTION_7:
- Image: '*\wscript.exe'
- SELECTION_8:
- Image: '*\cscript.exe'
- SELECTION_9:
- CommandLine: '*\VMware\VMware Tools\poweron-vm-default.bat*'
- condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8)) and not ((SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12)))
-falsepositives:
-- Legitimate use by adminstrator
-fields:
-- CommandLine
-- ParentCommandLine
-- Details
-id: 5687f942-867b-4578-ade7-1e341c46e99a
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/10/10
-references:
-- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
-status: experimental
-tags:
-- attack.execution
-- attack.persistence
-- attack.t1059
-yml_filename: sysmon_vmtoolsd_susp_child_process.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/sysmon_volume_shadow_copy_service_keys.yml b/rules/alert-rules/sigma/sysmon_volume_shadow_copy_service_keys.yml
deleted file mode 100644
index 8f3f5bec..00000000
--- a/rules/alert-rules/sigma/sysmon_volume_shadow_copy_service_keys.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Volume Shadow Copy Service Keys
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/10/20
-description: Detects the volume shadow copy service initialization and processing.
- Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume
- are captured.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*System\CurrentControlSet\Services\VSS*'
- SELECTION_5:
- TargetObject: '*System\CurrentControlSet\Services\VSS\Start*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and not
- (SELECTION_5))
-falsepositives:
-- Other services accessing that key or sub keys
-id: 5aad0995-46ab-41bd-a9ff-724f41114971
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/06/02
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003.002
-yml_filename: sysmon_volume_shadow_copy_service_keys.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_wab_dllpath_reg_change.yml b/rules/alert-rules/sigma/sysmon_wab_dllpath_reg_change.yml
deleted file mode 100644
index 82dd090c..00000000
--- a/rules/alert-rules/sigma/sysmon_wab_dllpath_reg_change.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Execution DLL of Choice Using WAB.EXE
-author: oscd.community, Natalia Shornikova
-date: 2020/10/13
-description: This rule detects that the path to the DLL written in the registry is
- different from the default one. Launched WAB.exe tries to load the DLL from Registry.
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\Software\Microsoft\WAB\DLLPath'
- SELECTION_5:
- Details: '%CommonProgramFiles%\System\wab32.dll'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and not
- (SELECTION_5))
-falsepositives:
-- Unknown
-id: fc014922-5def-4da9-a0fc-28c973f41bfb
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/05/21
-references:
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml
-- https://twitter.com/Hexacorn/status/991447379864932352
-- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: sysmon_wab_dllpath_reg_change.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_wdigest_enable_uselogoncredential.yml b/rules/alert-rules/sigma/sysmon_wdigest_enable_uselogoncredential.yml
deleted file mode 100644
index 14c7b43e..00000000
--- a/rules/alert-rules/sigma/sysmon_wdigest_enable_uselogoncredential.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Wdigest Enable UseLogonCredential
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2019/09/12
-description: Detects potential malicious modification of the property value of UseLogonCredential
- from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable
- clear-text credentials
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*WDigest\UseLogonCredential'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
-falsepositives:
-- Unknown
-id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
-level: high
-logsource:
- category: registry_event
- product: windows
-modified: 2021/05/27
-references:
-- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1112
-yml_filename: sysmon_wdigest_enable_uselogoncredential.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_webshell_creation_detect.yml b/rules/alert-rules/sigma/sysmon_webshell_creation_detect.yml
deleted file mode 100644
index 431faddd..00000000
--- a/rules/alert-rules/sigma/sysmon_webshell_creation_detect.yml
+++ /dev/null
@@ -1,65 +0,0 @@
-title: Windows Webshell Creation
-author: Beyu Denis, oscd.community
-date: 2019/10/22
-description: Possible webshell file creation on a static web site
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_10:
- TargetFilename: '*\html\\*'
- SELECTION_11:
- TargetFilename: '*.ph*'
- SELECTION_12:
- TargetFilename: '*\AppData\Local\Temp\\*'
- SELECTION_13:
- TargetFilename: '*\Windows\Temp\\*'
- SELECTION_14:
- TargetFilename: '*.jsp'
- SELECTION_15:
- TargetFilename: '*\cgi-bin\\*'
- SELECTION_16:
- TargetFilename: '*.pl*'
- SELECTION_17:
- TargetFilename: '*\AppData\Local\Temp\\*'
- SELECTION_18:
- TargetFilename: '*\Windows\Temp\\*'
- SELECTION_2:
- TargetFilename: '*\inetpub\wwwroot\\*'
- SELECTION_3:
- TargetFilename: '*.asp*'
- SELECTION_4:
- TargetFilename: '*.ashx*'
- SELECTION_5:
- TargetFilename: '*.ph*'
- SELECTION_6:
- TargetFilename: '*\AppData\Local\Temp\\*'
- SELECTION_7:
- TargetFilename: '*\Windows\Temp\\*'
- SELECTION_8:
- TargetFilename: '*\www\\*'
- SELECTION_9:
- TargetFilename: '*\htdocs\\*'
- condition: (SELECTION_1 and ((((SELECTION_2 and (SELECTION_3 or SELECTION_4 or
- SELECTION_5)) and not ((SELECTION_6 or SELECTION_7))) or (((SELECTION_8 or
- SELECTION_9 or SELECTION_10) and SELECTION_11) and not ((SELECTION_12 or
- SELECTION_13)))) or ((SELECTION_14 or (SELECTION_15 and SELECTION_16)) and not
- ((SELECTION_17 or SELECTION_18)))))
-falsepositives:
-- Legitimate administrator or developer creating legitimate executable files in a
- web application folder
-id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
-level: critical
-logsource:
- category: file_event
- product: windows
-modified: 2020/08/23
-references:
-- PT ESC rule and personal experience
-status: experimental
-tags:
-- attack.persistence
-- attack.t1100
-- attack.t1505.003
-yml_filename: sysmon_webshell_creation_detect.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_win_binary_github_com.yml b/rules/alert-rules/sigma/sysmon_win_binary_github_com.yml
deleted file mode 100644
index 5c43108e..00000000
--- a/rules/alert-rules/sigma/sysmon_win_binary_github_com.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Microsoft Binary Github Communication
-author: Michael Haag (idea), Florian Roth (rule)
-date: 2017/08/24
-description: Detects an executable in the Windows folder accessing github.com
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_2:
- Initiated: 'true'
- SELECTION_3:
- DestinationHostname: '*.github.com'
- SELECTION_4:
- DestinationHostname: '*.githubusercontent.com'
- SELECTION_5:
- Image: C:\Windows\\*
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4) and SELECTION_5)
-falsepositives:
-- Unknown
-- '@subTee in your network'
-id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
-level: high
-logsource:
- category: network_connection
- product: windows
-modified: 2020/08/24
-references:
-- https://twitter.com/M_haggis/status/900741347035889665
-- https://twitter.com/M_haggis/status/1032799638213066752
-- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
-status: experimental
-tags:
-- attack.lateral_movement
-- attack.t1105
-- attack.exfiltration
-- attack.t1567.001
-- attack.t1048
-yml_filename: sysmon_win_binary_github_com.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_win_binary_susp_com.yml b/rules/alert-rules/sigma/sysmon_win_binary_susp_com.yml
deleted file mode 100644
index 0de828ab..00000000
--- a/rules/alert-rules/sigma/sysmon_win_binary_susp_com.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Microsoft Binary Suspicious Communication Endpoint
-author: Florian Roth
-date: 2018/08/30
-description: Detects an executable in the Windows folder accessing suspicious domains
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_2:
- Initiated: 'true'
- SELECTION_3:
- DestinationHostname: '*dl.dropboxusercontent.com'
- SELECTION_4:
- DestinationHostname: '*.pastebin.com'
- SELECTION_5:
- DestinationHostname: '*.githubusercontent.com'
- SELECTION_6:
- Image: C:\Windows\\*
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5)
- and SELECTION_6)
-falsepositives:
-- Unknown
-id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
-level: high
-logsource:
- category: network_connection
- product: windows
-references:
-- https://twitter.com/M_haggis/status/900741347035889665
-- https://twitter.com/M_haggis/status/1032799638213066752
-status: experimental
-tags:
-- attack.lateral_movement
-- attack.t1105
-yml_filename: sysmon_win_binary_susp_com.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/sysmon_win_reg_persistence.yml b/rules/alert-rules/sigma/sysmon_win_reg_persistence.yml
deleted file mode 100644
index 9e611e45..00000000
--- a/rules/alert-rules/sigma/sysmon_win_reg_persistence.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-title: Registry Persistence Mechanisms
-author: Karneades, Jonhnathan Ribeiro
-date: 2018/04/11
-description: Detects persistence registry keys
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_10:
- TargetObject: '*\MonitorProcess*'
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion*'
- SELECTION_5:
- TargetObject: '*\Image File Execution Options\\*'
- SELECTION_6:
- TargetObject: '*\GlobalFlag*'
- SELECTION_7:
- TargetObject: '*SilentProcessExit\\*'
- SELECTION_8:
- TargetObject: '*\ReportingMode*'
- SELECTION_9:
- TargetObject: '*SilentProcessExit\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4) and
- ((SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9
- and SELECTION_10)))
-falsepositives:
-- unknown
-id: 36803969-5421-41ec-b92f-8500f79c23b0
-level: critical
-logsource:
- category: registry_event
- product: windows
-modified: 2020/09/06
-references:
-- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
-tags:
-- attack.privilege_escalation
-- attack.persistence
-- attack.defense_evasion
-- attack.t1183
-- attack.t1546.012
-- car.2013-01-002
-yml_filename: sysmon_win_reg_persistence.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_win_reg_telemetry_persistence.yml b/rules/alert-rules/sigma/sysmon_win_reg_telemetry_persistence.yml
deleted file mode 100644
index 0f43acec..00000000
--- a/rules/alert-rules/sigma/sysmon_win_reg_telemetry_persistence.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Registry Persistence Mechanism via Windows Telemetry
-author: Lednyov Alexey, oscd.community
-date: 2020/10/16
-description: Detects persistence method using windows telemetry
-detection:
- SELECTION_1:
- EventID: 12
- SELECTION_2:
- EventID: 13
- SELECTION_3:
- EventID: 14
- SELECTION_4:
- TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\\*'
- SELECTION_5:
- TargetObject: '*\Command*'
- SELECTION_6:
- Details: '*.exe*'
- SELECTION_7:
- Details: '*\system32\CompatTelRunner.exe*'
- SELECTION_8:
- Details: '*\system32\DeviceCensus.exe*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5
- and SELECTION_6) and not ((SELECTION_7 or SELECTION_8)))
-falsepositives:
-- unknown
-id: 73a883d0-0348-4be4-a8d8-51031c2564f8
-level: critical
-logsource:
- category: registry_event
- definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows
- NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives'
- product: windows
-references:
-- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
-status: experimental
-tags:
-- attack.persistence
-- attack.t1053.005
-yml_filename: sysmon_win_reg_telemetry_persistence.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
-
diff --git a/rules/alert-rules/sigma/sysmon_wmi_module_load.yml b/rules/alert-rules/sigma/sysmon_wmi_module_load.yml
deleted file mode 100644
index eb739db2..00000000
--- a/rules/alert-rules/sigma/sysmon_wmi_module_load.yml
+++ /dev/null
@@ -1,74 +0,0 @@
-title: WMI Modules Loaded
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/08/10
-description: Detects non wmiprvse loading WMI modules
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_10:
- ImageLoaded: '*\fastprox.dll'
- SELECTION_11:
- Image: '*\WmiPrvSE.exe'
- SELECTION_12:
- Image: '*\WmiApSrv.exe'
- SELECTION_13:
- Image: '*\svchost.exe'
- SELECTION_14:
- Image: '*\DeviceCensus.exe'
- SELECTION_15:
- Image: '*\CompatTelRunner.exe'
- SELECTION_16:
- Image: '*\sdiagnhost.exe'
- SELECTION_17:
- Image: '*\SIHClient.exe'
- SELECTION_18:
- Image: '*\ngentask.exe'
- SELECTION_19:
- Image: '*\windows\system32\taskhostw.exe'
- SELECTION_2:
- ImageLoaded: '*\wmiclnt.dll'
- SELECTION_20:
- Image: '*\windows\system32\MoUsoCoreWorker.exe'
- SELECTION_21:
- Image: '*\windows\system32\wbem\WMIADAP.exe'
- SELECTION_3:
- ImageLoaded: '*\WmiApRpl.dll'
- SELECTION_4:
- ImageLoaded: '*\wmiprov.dll'
- SELECTION_5:
- ImageLoaded: '*\wmiutils.dll'
- SELECTION_6:
- ImageLoaded: '*\wbemcomn.dll'
- SELECTION_7:
- ImageLoaded: '*\wbemprox.dll'
- SELECTION_8:
- ImageLoaded: '*\WMINet_Utils.dll'
- SELECTION_9:
- ImageLoaded: '*\wbemsvc.dll'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
- and not ((SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or
- SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
- or SELECTION_20 or SELECTION_21)))
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- User
-- Image
-- ImageLoaded
-id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2021/08/18
-references:
-- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
-status: experimental
-tags:
-- attack.execution
-- attack.t1047
-yml_filename: sysmon_wmi_module_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/alert-rules/sigma/sysmon_wmi_persistence_commandline_event_consumer.yml
deleted file mode 100644
index f0dba549..00000000
--- a/rules/alert-rules/sigma/sysmon_wmi_persistence_commandline_event_consumer.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: WMI Persistence - Command Line Event Consumer
-author: Thomas Patzke
-date: 2018/03/07
-description: Detects WMI command line event consumers
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: C:\Windows\System32\wbem\WmiPrvSE.exe
- SELECTION_3:
- ImageLoaded: '*\wbemcons.dll'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown (data set is too small; further testing needed)
-id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
-level: high
-logsource:
- category: image_load
- product: windows
-modified: 2020/08/23
-references:
-- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
-status: experimental
-tags:
-- attack.t1084
-- attack.t1546.003
-- attack.persistence
-yml_filename: sysmon_wmi_persistence_commandline_event_consumer.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/alert-rules/sigma/sysmon_wmi_persistence_script_event_consumer_write.yml
deleted file mode 100644
index c70550be..00000000
--- a/rules/alert-rules/sigma/sysmon_wmi_persistence_script_event_consumer_write.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: WMI Persistence - Script Event Consumer File Write
-author: Thomas Patzke
-date: 2018/03/07
-description: Detects file writes of WMI script event consumer
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- Image: C:\WINDOWS\system32\wbem\scrcons.exe
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
-id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
-level: high
-logsource:
- category: file_event
- product: windows
-modified: 2020/08/23
-references:
-- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
-status: experimental
-tags:
-- attack.t1084
-- attack.t1546.003
-- attack.persistence
-yml_filename: sysmon_wmi_persistence_script_event_consumer_write.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/sysmon_wmi_susp_encoded_scripts.yml b/rules/alert-rules/sigma/sysmon_wmi_susp_encoded_scripts.yml
deleted file mode 100644
index 4b0ddc05..00000000
--- a/rules/alert-rules/sigma/sysmon_wmi_susp_encoded_scripts.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-title: Suspicious Encoded Scripts in a WMI Consumer
-author: Florian Roth
-date: 2021/09/01
-description: Detects suspicious encoded payloads in WMI Event Consumers
-detection:
- SELECTION_1:
- EventID: 19
- SELECTION_10:
- Destination: '*VGhpcyBwcm9ncmFtIG11c3QgYmUgcnVuIHVuZGVyIFdpbjMy*'
- SELECTION_11:
- Destination: '*RoaXMgcHJvZ3JhbSBtdXN0IGJlIHJ1biB1bmRlciBXaW4zM*'
- SELECTION_12:
- Destination: '*UaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2luMz*'
- SELECTION_2:
- EventID: 20
- SELECTION_3:
- EventID: 21
- SELECTION_4:
- Destination: '*V3JpdGVQcm9jZXNzTWVtb3J5*'
- SELECTION_5:
- Destination: '*dyaXRlUHJvY2Vzc01lbW9ye*'
- SELECTION_6:
- Destination: '*Xcml0ZVByb2Nlc3NNZW1vcn*'
- SELECTION_7:
- Destination: '*VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZG*'
- SELECTION_8:
- Destination: '*RoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2Rl*'
- SELECTION_9:
- Destination: '*UaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZ*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12))
-falsepositives:
-- Unknown
-fields:
-- User
-- Operation
-id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
-level: high
-logsource:
- category: wmi_event
- product: windows
-references:
-- https://github.com/RiccardoAncarani/LiquidSnake
-status: experimental
-tags:
-- attack.execution
-- attack.t1047
-- attack.persistence
-- attack.t1546.003
-yml_filename: sysmon_wmi_susp_encoded_scripts.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/wmi_event
-
diff --git a/rules/alert-rules/sigma/sysmon_wmi_susp_scripting.yml b/rules/alert-rules/sigma/sysmon_wmi_susp_scripting.yml
deleted file mode 100644
index 6db7b6be..00000000
--- a/rules/alert-rules/sigma/sysmon_wmi_susp_scripting.yml
+++ /dev/null
@@ -1,66 +0,0 @@
-title: Suspicious Scripting in a WMI Consumer
-author: Florian Roth, Jonhnathan Ribeiro
-date: 2019/04/15
-description: Detects suspicious scripting in WMI Event Consumers
-detection:
- SELECTION_1:
- EventID: 19
- SELECTION_10:
- Destination: '* iex(*'
- SELECTION_11:
- Destination: '*WScript.shell*'
- SELECTION_12:
- Destination: '* -nop *'
- SELECTION_13:
- Destination: '* -noprofile *'
- SELECTION_14:
- Destination: '* -decode *'
- SELECTION_15:
- Destination: '* -enc *'
- SELECTION_16:
- Destination: '*WScript.Shell*'
- SELECTION_17:
- Destination: '*System.Security.Cryptography.FromBase64Transform*'
- SELECTION_2:
- EventID: 20
- SELECTION_3:
- EventID: 21
- SELECTION_4:
- Destination: '*new-object*'
- SELECTION_5:
- Destination: '*net.webclient*'
- SELECTION_6:
- Destination: '*.downloadstring*'
- SELECTION_7:
- Destination: '*new-object*'
- SELECTION_8:
- Destination: '*net.webclient*'
- SELECTION_9:
- Destination: '*.downloadfile*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and
- SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9)
- or (SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
- or SELECTION_15) or (SELECTION_16 or SELECTION_17)))
-falsepositives:
-- Administrative scripts
-fields:
-- User
-- Operation
-id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
-level: high
-logsource:
- category: wmi_event
- product: windows
-modified: 2021/09/01
-references:
-- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
-- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19
-- https://github.com/RiccardoAncarani/LiquidSnake
-status: experimental
-tags:
-- attack.t1086
-- attack.execution
-- attack.t1059.005
-yml_filename: sysmon_wmi_susp_scripting.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/wmi_event
-
diff --git a/rules/alert-rules/sigma/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/alert-rules/sigma/sysmon_wmic_remote_xsl_scripting_dlls.yml
deleted file mode 100644
index 6ce43520..00000000
--- a/rules/alert-rules/sigma/sysmon_wmic_remote_xsl_scripting_dlls.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: WMIC Loading Scripting Libraries
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/10/17
-description: Detects threat actors proxy executing code and bypassing application
- controls by leveraging wmic and the `/FORMAT` argument switch to download and
- execute an XSL file (i.e js, vbs, etc).
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_2:
- Image: '*\wmic.exe'
- SELECTION_3:
- ImageLoaded: '*\jscript.dll'
- SELECTION_4:
- ImageLoaded: '*\vbscript.dll'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- Apparently, wmic os get lastboottuptime loads vbscript.dll
-id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
-level: high
-logsource:
- category: image_load
- product: windows
-references:
-- https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
-- https://twitter.com/dez_/status/986614411711442944
-- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1220
-yml_filename: sysmon_wmic_remote_xsl_scripting_dlls.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_wsman_provider_image_load.yml b/rules/alert-rules/sigma/sysmon_wsman_provider_image_load.yml
deleted file mode 100644
index 55e6d5dc..00000000
--- a/rules/alert-rules/sigma/sysmon_wsman_provider_image_load.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-title: Suspicious WSMAN Provider Image Loads
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/06/24
-description: Detects signs of potential use of the WSMAN provider from uncommon processes
- locally and remote execution.
-detection:
- SELECTION_1:
- EventID: 7
- SELECTION_10:
- Image: '*\svchost.exe'
- SELECTION_11:
- OriginalFileName: WsmWmiPl.dll
- SELECTION_2:
- EventID: 7
- SELECTION_3:
- ImageLoaded: '*\WsmSvc.dll'
- SELECTION_4:
- ImageLoaded: '*\WsmAuto.dll'
- SELECTION_5:
- ImageLoaded: '*\Microsoft.WSMan.Management.ni.dll'
- SELECTION_6:
- OriginalFileName: WsmSvc.dll
- SELECTION_7:
- OriginalFileName: WSMANAUTOMATION.DLL
- SELECTION_8:
- OriginalFileName: Microsoft.WSMan.Management.dll
- SELECTION_9:
- Image: '*\powershell.exe'
- condition: (SELECTION_1 and ((SELECTION_2 and ((SELECTION_3 or SELECTION_4 or
- SELECTION_5) or (SELECTION_6 or SELECTION_7 or SELECTION_8)) and not (SELECTION_9))
- or (SELECTION_10 and SELECTION_11)))
-falsepositives:
-- Unknown
-id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
-level: medium
-logsource:
- category: image_load
- product: windows
-references:
-- https://twitter.com/chadtilbury/status/1275851297770610688
-- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
-- https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
-- https://github.com/bohops/WSMan-WinRM
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.lateral_movement
-- attack.t1021.003
-yml_filename: sysmon_wsman_provider_image_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
-
diff --git a/rules/alert-rules/sigma/sysmon_wuauclt_network_connection.yml b/rules/alert-rules/sigma/sysmon_wuauclt_network_connection.yml
deleted file mode 100644
index 8f9fc862..00000000
--- a/rules/alert-rules/sigma/sysmon_wuauclt_network_connection.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Wuauclt Network Connection
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/10/12
-description: Detects the use of the Windows Update Client binary (wuauclt.exe) to
- proxy execute code and making a network connections. One could easily make the
- DLL spawn a new process and inject to it to proxy the network connection and bypass
- this rule.
-detection:
- SELECTION_1:
- EventID: 3
- SELECTION_2:
- Image: '*wuauclt*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Legitimate use of wuauclt.exe over the network.
-id: c649a6c7-cd8c-4a78-9c04-000fc76df954
-level: medium
-logsource:
- category: network_connection
- product: windows
-references:
-- https://dtm.uk/wuauclt/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: sysmon_wuauclt_network_connection.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
-
diff --git a/rules/alert-rules/sigma/win_aadhealth_mon_agent_regkey_access.yml b/rules/alert-rules/sigma/win_aadhealth_mon_agent_regkey_access.yml
deleted file mode 100644
index 978b3fe9..00000000
--- a/rules/alert-rules/sigma/win_aadhealth_mon_agent_regkey_access.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: Azure AD Health Monitoring Agent Registry Keys Access
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
-date: 2021/08/26
-description: |
- This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
- This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
-detection:
- SELECTION_1:
- EventID: 4656
- SELECTION_2:
- EventID: 4663
- SELECTION_3:
- ObjectType: Key
- SELECTION_4:
- ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent
- SELECTION_5:
- ProcessName: '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
- SELECTION_6:
- ProcessName: '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
- SELECTION_7:
- ProcessName: '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
- SELECTION_8:
- ProcessName: '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
- SELECTION_9:
- ProcessName: '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
- condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
- ((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9)))
-falsepositives:
-- Unknown
-id: ff151c33-45fa-475d-af4f-c2f93571f4fe
-level: medium
-logsource:
- product: windows
- service: security
-references:
-- https://o365blog.com/post/hybridhealthagent/
-- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
-status: experimental
-tags:
-- attack.discovery
-- attack.t1012
-yml_filename: win_aadhealth_mon_agent_regkey_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_aadhealth_svc_agent_regkey_access.yml b/rules/alert-rules/sigma/win_aadhealth_svc_agent_regkey_access.yml
deleted file mode 100644
index 307c22fd..00000000
--- a/rules/alert-rules/sigma/win_aadhealth_svc_agent_regkey_access.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: Azure AD Health Service Agents Registry Keys Access
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
-date: 2021/08/26
-description: |
- This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
- Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
- This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
- Make sure you set the SACL to propagate to its sub-keys.
-detection:
- SELECTION_1:
- EventID: 4656
- SELECTION_2:
- EventID: 4663
- SELECTION_3:
- ObjectType: Key
- SELECTION_4:
- ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent
- SELECTION_5:
- ProcessName: '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
- SELECTION_6:
- ProcessName: '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
- SELECTION_7:
- ProcessName: '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
- SELECTION_8:
- ProcessName: '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
- SELECTION_9:
- ProcessName: '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
- condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
- ((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9)))
-falsepositives:
-- Unknown
-id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
-level: medium
-logsource:
- product: windows
- service: security
-references:
-- https://o365blog.com/post/hybridhealthagent/
-- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
-status: experimental
-tags:
-- attack.discovery
-- attack.t1012
-yml_filename: win_aadhealth_svc_agent_regkey_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_account_backdoor_dcsync_rights.yml b/rules/alert-rules/sigma/win_account_backdoor_dcsync_rights.yml
deleted file mode 100644
index 8c49dc02..00000000
--- a/rules/alert-rules/sigma/win_account_backdoor_dcsync_rights.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
-author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
-date: 2019/04/03
-description: backdooring domain object to grant the rights associated with DCSync
- to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
- Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
-detection:
- SELECTION_1:
- EventID: 5136
- SELECTION_2:
- AttributeLDAPDisplayName: ntSecurityDescriptor
- SELECTION_3:
- AttributeValue: '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- SELECTION_4:
- AttributeValue: '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
- SELECTION_5:
- AttributeValue: '*89e95b76-444d-4c62-991a-0facbeda640c*'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
-falsepositives:
-- New Domain Controller computer account, check user SIDs within the value attribute
- of event 5136 and verify if it's a regular user or DC computer account.
-id: 2c99737c-585d-4431-b61a-c911d86ff32f
-level: critical
-logsource:
- product: windows
- service: security
-modified: 2021/07/09
-references:
-- https://twitter.com/menasec1/status/1111556090137903104
-- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
-status: experimental
-tags:
-- attack.persistence
-- attack.t1098
-yml_filename: win_account_backdoor_dcsync_rights.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_account_discovery.yml b/rules/alert-rules/sigma/win_account_discovery.yml
deleted file mode 100644
index 7db42e05..00000000
--- a/rules/alert-rules/sigma/win_account_discovery.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-title: AD Privileged Users or Groups Reconnaissance
-author: Samir Bousseaden
-date: 2019/04/03
-description: Detect priv users or groups recon based on 4661 eventid and known privileged
- users or groups SIDs
-detection:
- SELECTION_1:
- EventID: 4661
- SELECTION_10:
- ObjectName: '*-544'
- SELECTION_11:
- ObjectName: '*-551'
- SELECTION_12:
- ObjectName: '*-555'
- SELECTION_13:
- ObjectName: '*admin*'
- SELECTION_2:
- ObjectType: SAM_USER
- SELECTION_3:
- ObjectType: SAM_GROUP
- SELECTION_4:
- ObjectName: '*-512'
- SELECTION_5:
- ObjectName: '*-502'
- SELECTION_6:
- ObjectName: '*-500'
- SELECTION_7:
- ObjectName: '*-505'
- SELECTION_8:
- ObjectName: '*-519'
- SELECTION_9:
- ObjectName: '*-520'
- condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and ((SELECTION_4 or
- SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or
- SELECTION_10 or SELECTION_11 or SELECTION_12) or SELECTION_13))
-falsepositives:
-- if source account name is not an admin then its super suspicious
-id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
-level: high
-logsource:
- definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
- product: windows
- service: security
-modified: 2021/09/08
-references:
-- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
-status: experimental
-tags:
-- attack.discovery
-- attack.t1087
-- attack.t1087.002
-yml_filename: win_account_discovery.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_ad_find_discovery.yml b/rules/alert-rules/sigma/win_ad_find_discovery.yml
deleted file mode 100644
index abacfa8b..00000000
--- a/rules/alert-rules/sigma/win_ad_find_discovery.yml
+++ /dev/null
@@ -1,68 +0,0 @@
-title: AdFind Usage Detection
-author: Janantha Marasinghe (https://github.com/blueteam0ps)
-date: 2021/02/02
-description: AdFind continues to be seen across majority of breaches. It is used to
- domain trust discovery to plan out subsequent steps in the attack chain.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*name="Domain Admins"*'
- SELECTION_11:
- CommandLine: '*-sc u:*'
- SELECTION_12:
- CommandLine: '*domainncs*'
- SELECTION_13:
- CommandLine: '*dompol*'
- SELECTION_14:
- CommandLine: '* oudmp *'
- SELECTION_15:
- CommandLine: '*subnetdmp*'
- SELECTION_16:
- CommandLine: '*gpodmp*'
- SELECTION_17:
- CommandLine: '*fspdmp*'
- SELECTION_18:
- CommandLine: '*users_noexpire*'
- SELECTION_19:
- CommandLine: '*computers_active*'
- SELECTION_2:
- CommandLine: '*domainlist*'
- SELECTION_3:
- CommandLine: '*trustdmp*'
- SELECTION_4:
- CommandLine: '*dcmodes*'
- SELECTION_5:
- CommandLine: '*adinfo*'
- SELECTION_6:
- CommandLine: '* dclist *'
- SELECTION_7:
- CommandLine: '*computer_pwdnotreqd*'
- SELECTION_8:
- CommandLine: '*objectcategory=*'
- SELECTION_9:
- CommandLine: '*-subnets -f*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19))
-falsepositives:
-- Admin activity
-id: 9a132afa-654e-11eb-ae93-0242ac130002
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/02/02
-references:
-- https://thedfirreport.com/2020/05/08/adfind-recon/
-- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
-- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
-status: experimental
-tags:
-- attack.discovery
-- attack.t1482
-- attack.t1018
-yml_filename: win_ad_find_discovery.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_ad_object_writedac_access.yml b/rules/alert-rules/sigma/win_ad_object_writedac_access.yml
deleted file mode 100644
index a9a7cddd..00000000
--- a/rules/alert-rules/sigma/win_ad_object_writedac_access.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: AD Object WriteDAC Access
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/09/12
-description: Detects WRITE_DAC access to a domain object
-detection:
- SELECTION_1:
- EventID: 4662
- SELECTION_2:
- ObjectServer: DS
- SELECTION_3:
- AccessMask: '0x40000'
- SELECTION_4:
- ObjectType: 19195a5b-6da0-11d0-afd3-00c04fd930c9
- SELECTION_5:
- ObjectType: domainDNS
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
-falsepositives:
-- Unknown
-id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
-level: critical
-logsource:
- product: windows
- service: security
-references:
-- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1222
-- attack.t1222.001
-yml_filename: win_ad_object_writedac_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_ad_replication_non_machine_account.yml b/rules/alert-rules/sigma/win_ad_replication_non_machine_account.yml
deleted file mode 100644
index f1dcd36f..00000000
--- a/rules/alert-rules/sigma/win_ad_replication_non_machine_account.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: Active Directory Replication from Non Machine Account
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/07/26
-description: Detects potential abuse of Active Directory Replication Service (ADRS)
- from a non machine account to request credentials.
-detection:
- SELECTION_1:
- EventID: 4662
- SELECTION_2:
- AccessMask: '0x100'
- SELECTION_3:
- Properties: '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
- SELECTION_4:
- Properties: '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- SELECTION_5:
- Properties: '*89e95b76-444d-4c62-991a-0facbeda640c*'
- SELECTION_6:
- SubjectUserName: '*$'
- SELECTION_7:
- SubjectUserName: MSOL_*
- condition: ((SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
- and not (SELECTION_6 or SELECTION_7))
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- SubjectDomainName
-- SubjectUserName
-id: 17d619c1-e020-4347-957e-1d1207455c93
-level: critical
-logsource:
- product: windows
- service: security
-modified: 2020/08/23
-references:
-- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.006
-yml_filename: win_ad_replication_non_machine_account.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_ad_user_enumeration.yml b/rules/alert-rules/sigma/win_ad_user_enumeration.yml
deleted file mode 100644
index 25c55475..00000000
--- a/rules/alert-rules/sigma/win_ad_user_enumeration.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: AD User Enumeration
-author: Maxime Thiebaut (@0xThiebaut)
-date: 2020/03/30
-description: Detects access to a domain user from a non-machine account
-detection:
- SELECTION_1:
- EventID: 4662
- SELECTION_2:
- ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*'
- SELECTION_3:
- SubjectUserName: '*$'
- SELECTION_4:
- SubjectUserName: MSOL_*
- condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 or SELECTION_4))
-falsepositives:
-- Administrators configuring new users.
-id: ab6bffca-beff-4baa-af11-6733f296d57a
-level: medium
-logsource:
- definition: Requires the "Read all properties" permission on the user object to
- be audited for the "Everyone" principal
- product: windows
- service: security
-modified: 2021/08/09
-references:
-- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
-- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
-- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
-status: experimental
-tags:
-- attack.discovery
-- attack.t1087
-- attack.t1087.002
-yml_filename: win_ad_user_enumeration.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_admin_rdp_login.yml b/rules/alert-rules/sigma/win_admin_rdp_login.yml
deleted file mode 100644
index 2decb719..00000000
--- a/rules/alert-rules/sigma/win_admin_rdp_login.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Admin User Remote Logon
-author: juju4
-date: 2017/10/29
-description: Detect remote login by Administrator user (depending on internal pattern).
-detection:
- SELECTION_1:
- EventID: 4624
- SELECTION_2:
- LogonType: 10
- SELECTION_3:
- AuthenticationPackageName: Negotiate
- SELECTION_4:
- TargetUserName: Admin*
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Legitimate administrative activity.
-id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
-level: low
-logsource:
- definition: 'Requirements: Identifiable administrators usernames (pattern or special
- unique character. ex: "Admin-*"), internal policy mandating use only as secondary
- account'
- product: windows
- service: security
-modified: 2021/07/07
-references:
-- https://car.mitre.org/wiki/CAR-2016-04-005
-status: experimental
-tags:
-- attack.lateral_movement
-- attack.t1078
-- attack.t1078.001
-- attack.t1078.002
-- attack.t1078.003
-- car.2016-04-005
-yml_filename: win_admin_rdp_login.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_admin_share_access.yml b/rules/alert-rules/sigma/win_admin_share_access.yml
deleted file mode 100644
index adc80fb5..00000000
--- a/rules/alert-rules/sigma/win_admin_share_access.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Access to ADMIN$ Share
-author: Florian Roth
-date: 2017/03/04
-description: Detects access to $ADMIN share
-detection:
- SELECTION_1:
- EventID: 5140
- SELECTION_2:
- ShareName: Admin$
- SELECTION_3:
- SubjectUserName: '*$'
- condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
-falsepositives:
-- Legitimate administrative activity
-id: 098d7118-55bc-4912-a836-dc6483a8d150
-level: low
-logsource:
- definition: The advanced audit policy setting "Object Access > Audit File Share"
- must be configured for Success/Failure
- product: windows
- service: security
-modified: 2020/08/23
-status: experimental
-tags:
-- attack.lateral_movement
-- attack.t1077
-- attack.t1021.002
-yml_filename: win_admin_share_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_alert_active_directory_user_control.yml b/rules/alert-rules/sigma/win_alert_active_directory_user_control.yml
deleted file mode 100644
index f063b4ee..00000000
--- a/rules/alert-rules/sigma/win_alert_active_directory_user_control.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Enabled User Right in AD to Control User Objects
-author: '@neu5ron'
-date: 2017/07/30
-description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege
- right in Active Directory it would allow control of other AD user objects.
-detection:
- SELECTION_1:
- EventID: 4704
- SELECTION_2:
- PrivilegeList: '*SeEnableDelegationPrivilege*'
- condition: (SELECTION_1 and (SELECTION_2))
-falsepositives:
-- Unknown
-id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
-level: high
-logsource:
- definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization
- Policy Change, Group Policy : Computer Configuration\Windows Settings\Security
- Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit
- Authorization Policy Change'
- product: windows
- service: security
-modified: 2020/08/23
-references:
-- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
-tags:
-- attack.persistence
-- attack.t1098
-yml_filename: win_alert_active_directory_user_control.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_alert_ad_user_backdoors.yml b/rules/alert-rules/sigma/win_alert_ad_user_backdoors.yml
deleted file mode 100644
index 96d05973..00000000
--- a/rules/alert-rules/sigma/win_alert_ad_user_backdoors.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-title: Active Directory User Backdoors
-author: '@neu5ron'
-date: 2017/04/13
-description: Detects scenarios where one can control another users or computers account
- without having to use their credentials.
-detection:
- SELECTION_1:
- EventID: 4738
- SELECTION_10:
- AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity
- SELECTION_2:
- AllowedToDelegateTo: '-'
- SELECTION_3:
- AllowedToDelegateTo|re: ^$
- SELECTION_4:
- EventID: 5136
- SELECTION_5:
- AttributeLDAPDisplayName: msDS-AllowedToDelegateTo
- SELECTION_6:
- EventID: 5136
- SELECTION_7:
- ObjectClass: user
- SELECTION_8:
- AttributeLDAPDisplayName: servicePrincipalName
- SELECTION_9:
- EventID: 5136
- condition: (((((SELECTION_1 and not (SELECTION_2)) and not (SELECTION_3)) or
- (SELECTION_4 and SELECTION_5)) or (SELECTION_6 and SELECTION_7 and SELECTION_8))
- or (SELECTION_9 and SELECTION_10))
-falsepositives:
-- Unknown
-id: 300bac00-e041-4ee2-9c36-e262656a6ecc
-level: high
-logsource:
- definition: 'Requirements: Audit Policy : Account Management > Audit User Account
- Management, Group Policy : Computer Configuration\Windows Settings\Security
- Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit
- User Account Management, DS Access > Audit Directory Service Changes, Group
- Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
- Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service
- Changes'
- product: windows
- service: security
-modified: 2020/08/23
-references:
-- https://msdn.microsoft.com/en-us/library/cc220234.aspx
-- https://adsecurity.org/?p=3466
-- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
-tags:
-- attack.t1098
-- attack.persistence
-yml_filename: win_alert_ad_user_backdoors.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_alert_enable_weak_encryption.yml b/rules/alert-rules/sigma/win_alert_enable_weak_encryption.yml
deleted file mode 100644
index 77653f54..00000000
--- a/rules/alert-rules/sigma/win_alert_enable_weak_encryption.yml
+++ /dev/null
@@ -1,136 +0,0 @@
-title: Weak Encryption Enabled and Kerberoast
-author: '@neu5ron'
-date: 2017/07/30
-description: Detects scenario where weak encryption is enabled for a user profile
- which could be used for hash/password cracking.
-detection:
- SELECTION_1:
- EventID: 4738
- SELECTION_10:
- OldUacValue: '*8???'
- SELECTION_11:
- OldUacValue: '*9???'
- SELECTION_12:
- OldUacValue: '*A???'
- SELECTION_13:
- OldUacValue: '*B???'
- SELECTION_14:
- OldUacValue: '*C???'
- SELECTION_15:
- OldUacValue: '*D???'
- SELECTION_16:
- OldUacValue: '*E???'
- SELECTION_17:
- OldUacValue: '*F???'
- SELECTION_18:
- NewUacValue: '*1????'
- SELECTION_19:
- NewUacValue: '*3????'
- SELECTION_2:
- NewUacValue: '*8???'
- SELECTION_20:
- NewUacValue: '*5????'
- SELECTION_21:
- NewUacValue: '*7????'
- SELECTION_22:
- NewUacValue: '*9????'
- SELECTION_23:
- NewUacValue: '*B????'
- SELECTION_24:
- NewUacValue: '*D????'
- SELECTION_25:
- NewUacValue: '*F????'
- SELECTION_26:
- OldUacValue: '*1????'
- SELECTION_27:
- OldUacValue: '*3????'
- SELECTION_28:
- OldUacValue: '*5????'
- SELECTION_29:
- OldUacValue: '*7????'
- SELECTION_3:
- NewUacValue: '*9???'
- SELECTION_30:
- OldUacValue: '*9????'
- SELECTION_31:
- OldUacValue: '*B????'
- SELECTION_32:
- OldUacValue: '*D????'
- SELECTION_33:
- OldUacValue: '*F????'
- SELECTION_34:
- NewUacValue: '*8??'
- SELECTION_35:
- NewUacValue: '*9??'
- SELECTION_36:
- NewUacValue: '*A??'
- SELECTION_37:
- NewUacValue: '*B??'
- SELECTION_38:
- NewUacValue: '*C??'
- SELECTION_39:
- NewUacValue: '*D??'
- SELECTION_4:
- NewUacValue: '*A???'
- SELECTION_40:
- NewUacValue: '*E??'
- SELECTION_41:
- NewUacValue: '*F??'
- SELECTION_42:
- OldUacValue: '*8??'
- SELECTION_43:
- OldUacValue: '*9??'
- SELECTION_44:
- OldUacValue: '*A??'
- SELECTION_45:
- OldUacValue: '*B??'
- SELECTION_46:
- OldUacValue: '*C??'
- SELECTION_47:
- OldUacValue: '*D??'
- SELECTION_48:
- OldUacValue: '*E??'
- SELECTION_49:
- OldUacValue: '*F??'
- SELECTION_5:
- NewUacValue: '*B???'
- SELECTION_6:
- NewUacValue: '*C???'
- SELECTION_7:
- NewUacValue: '*D???'
- SELECTION_8:
- NewUacValue: '*E???'
- SELECTION_9:
- NewUacValue: '*F???'
- condition: (SELECTION_1 and ((((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and not ((SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17))) or ((SELECTION_18 or SELECTION_19 or SELECTION_20
- or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25)
- and not ((SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or
- SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33)))) or ((SELECTION_34
- or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39
- or SELECTION_40 or SELECTION_41) and not ((SELECTION_42 or SELECTION_43 or
- SELECTION_44 or SELECTION_45 or SELECTION_46 or SELECTION_47 or SELECTION_48
- or SELECTION_49)))))
-falsepositives:
-- Unknown
-id: f6de9536-0441-4b3f-a646-f4e00f300ffd
-level: high
-logsource:
- definition: 'Requirements: Audit Policy : Account Management > Audit User Account
- Management, Group Policy : Computer Configuration\Windows Settings\Security
- Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit
- User Account Management'
- product: windows
- service: security
-references:
-- https://adsecurity.org/?p=2053
-- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-tags:
-- attack.defense_evasion
-- attack.t1089
-- attack.t1562.001
-yml_filename: win_alert_enable_weak_encryption.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_alert_lsass_access.yml b/rules/alert-rules/sigma/win_alert_lsass_access.yml
deleted file mode 100644
index 84486308..00000000
--- a/rules/alert-rules/sigma/win_alert_lsass_access.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: LSASS Access Detected via Attack Surface Reduction
-author: Markus Neis
-date: 2018/08/26
-description: Detects Access to LSASS Process
-detection:
- SELECTION_1:
- EventID: 1121
- SELECTION_2:
- Path: '*\lsass.exe'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Google Chrome GoogleUpdate.exe
-- Some Taskmgr.exe related activity
-id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
-level: high
-logsource:
- definition: 'Requirements:Enabled Block credential stealing from the Windows local
- security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID:
- 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
- product: windows_defender
-references:
-- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.001
-yml_filename: win_alert_lsass_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_alert_mimikatz_keywords.yml b/rules/alert-rules/sigma/win_alert_mimikatz_keywords.yml
deleted file mode 100644
index e0402b2c..00000000
--- a/rules/alert-rules/sigma/win_alert_mimikatz_keywords.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Mimikatz Use
-author: Florian Roth
-date: 2017/01/10
-description: This method detects mimikatz keywords in different Eventlogs (some of
- them only appear in older Mimikatz version that are however still used by different
- threat groups)
-detection:
- condition: (\mimikatz or mimikatz.exe or \mimilib.dll or <3 eo.oe or eo.oe.kiwi
- or privilege::debug or sekurlsa::logonpasswords or lsadump::sam or mimidrv.sys
- or p::d or s::l or gentilkiwi.com or Kiwi Legit Printer)
-falsepositives:
-- Naughty administrators
-- Penetration test
-- AV Signature updates
-- Files with Mimikatz in their filename
-id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
-level: critical
-logsource:
- product: windows
-modified: 2021/08/26
-tags:
-- attack.s0002
-- attack.t1003
-- attack.lateral_movement
-- attack.credential_access
-- car.2013-07-001
-- car.2019-04-004
-- attack.t1003.002
-- attack.t1003.004
-- attack.t1003.001
-- attack.t1003.006
-yml_filename: win_alert_mimikatz_keywords.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_alert_ruler.yml b/rules/alert-rules/sigma/win_alert_ruler.yml
deleted file mode 100644
index bbfca60a..00000000
--- a/rules/alert-rules/sigma/win_alert_ruler.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Hacktool Ruler
-author: Florian Roth
-date: 2017/05/31
-description: This events that are generated when using the hacktool Ruler by Sensepost
-detection:
- SELECTION_1:
- EventID: 4776
- SELECTION_2:
- Workstation: RULER
- SELECTION_3:
- EventID: 4624
- SELECTION_4:
- EventID: 4625
- SELECTION_5:
- WorkstationName: RULER
- condition: ((SELECTION_1 and SELECTION_2) or ((SELECTION_3 or SELECTION_4) and
- SELECTION_5))
-falsepositives:
-- Go utilities that use staaldraad awesome NTLM library
-id: 24549159-ac1b-479c-8175-d42aea947cae
-level: high
-logsource:
- product: windows
- service: security
-modified: 2021/08/09
-references:
-- https://github.com/sensepost/ruler
-- https://github.com/sensepost/ruler/issues/47
-- https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427
-- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
-- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
-tags:
-- attack.discovery
-- attack.execution
-- attack.t1087
-- attack.t1075
-- attack.t1114
-- attack.t1059
-- attack.t1550.002
-yml_filename: win_alert_ruler.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_anydesk_silent_install.yml b/rules/alert-rules/sigma/win_anydesk_silent_install.yml
deleted file mode 100644
index 8936c495..00000000
--- a/rules/alert-rules/sigma/win_anydesk_silent_install.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: AnyDesk Silent Installation
-author: "J\xE1n Tren\u010Dansk\xFD"
-date: 2021/08/06
-description: AnyDesk Remote Desktop silent installation can be used by attacker to
- gain remote access.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*--install*'
- SELECTION_3:
- CommandLine: '*--start-with-win*'
- SELECTION_4:
- CommandLine: '*--silent*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Legitimate deployment of AnyDesk
-fields:
-- CommandLine
-- ParentCommandLine
-- CurrentDirectory
-id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
-- https://support.anydesk.com/Automatic_Deployment
-status: experimental
-tags:
-- attack.t1219
-yml_filename: win_anydesk_silent_install.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_applocker_file_was_not_allowed_to_run.yml b/rules/alert-rules/sigma/win_applocker_file_was_not_allowed_to_run.yml
deleted file mode 100644
index e1de4a71..00000000
--- a/rules/alert-rules/sigma/win_applocker_file_was_not_allowed_to_run.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-title: File Was Not Allowed To Run
-author: Pushkarev Dmitry
-date: 2020/06/28
-description: Detect run not allowed files. Applocker is a very useful tool, especially
- on servers where unprivileged users have access. For example terminal servers.
- You need configure applocker and log collect to receive these events.
-detection:
- SELECTION_1:
- EventID: 8004
- SELECTION_2:
- EventID: 8007
- condition: (SELECTION_1 or SELECTION_2)
-falsepositives:
-- need tuning applocker or add exceptions in SIEM
-fields:
-- PolicyName
-- RuleId
-- RuleName
-- TargetUser
-- TargetProcessId
-- FilePath
-- FileHash
-- Fqbn
-id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
-level: medium
-logsource:
- product: windows
- service: applocker
-modified: 2020/08/23
-references:
-- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
-- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
-- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
-status: experimental
-tags:
-- attack.execution
-- attack.t1086
-- attack.t1064
-- attack.t1204
-- attack.t1035
-- attack.t1204.002
-- attack.t1059.001
-- attack.t1059.003
-- attack.t1059.005
-- attack.t1059.006
-- attack.t1059.007
-yml_filename: win_applocker_file_was_not_allowed_to_run.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_apt_apt29_thinktanks.yml b/rules/alert-rules/sigma/win_apt_apt29_thinktanks.yml
deleted file mode 100644
index 37bb4609..00000000
--- a/rules/alert-rules/sigma/win_apt_apt29_thinktanks.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: APT29
-author: Florian Roth
-date: 2018/12/04
-description: This method detects a suspicious PowerShell command line combination
- as used by APT29 in a campaign against U.S. think tanks.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*-noni*'
- SELECTION_3:
- CommandLine: '*-ep*'
- SELECTION_4:
- CommandLine: '*bypass*'
- SELECTION_5:
- CommandLine: '*$*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
-falsepositives:
-- unknown
-id: 033fe7d6-66d1-4240-ac6b-28908009c71f
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/26
-references:
-- https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
-- https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
-tags:
-- attack.execution
-- attack.g0016
-- attack.t1086
-- attack.t1059
-- attack.t1059.001
-yml_filename: win_apt_apt29_thinktanks.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_babyshark.yml b/rules/alert-rules/sigma/win_apt_babyshark.yml
deleted file mode 100644
index 1c6e3386..00000000
--- a/rules/alert-rules/sigma/win_apt_babyshark.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Baby Shark Activity
-author: Florian Roth
-date: 2019/02/24
-description: Detects activity that could be related to Baby Shark malware
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server
- Client\Default"
- SELECTION_3:
- CommandLine: powershell.exe mshta.exe http*
- SELECTION_4:
- CommandLine: cmd.exe /c taskkill /im cmd.exe
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
-falsepositives:
-- unknown
-id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/26
-references:
-- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
-status: experimental
-tags:
-- attack.execution
-- attack.t1059
-- attack.t1086
-- attack.t1059.003
-- attack.t1059.001
-- attack.discovery
-- attack.t1012
-- attack.defense_evasion
-- attack.t1170
-- attack.t1218
-- attack.t1218.005
-yml_filename: win_apt_babyshark.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_bear_activity_gtr19.yml b/rules/alert-rules/sigma/win_apt_bear_activity_gtr19.yml
deleted file mode 100644
index b6b2789d..00000000
--- a/rules/alert-rules/sigma/win_apt_bear_activity_gtr19.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-title: Judgement Panda Credential Access Activity
-author: Florian Roth
-date: 2019/02/21
-description: Detects Russian group activity as described in Global Threat Report 2019
- by Crowdstrike
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*-snapshot*'
- SELECTION_11:
- CommandLine: '*""*'
- SELECTION_12:
- CommandLine: '*c:\users\\*'
- SELECTION_2:
- Image: '*\xcopy.exe'
- SELECTION_3:
- CommandLine: '*/S*'
- SELECTION_4:
- CommandLine: '*/E*'
- SELECTION_5:
- CommandLine: '*/C*'
- SELECTION_6:
- CommandLine: '*/Q*'
- SELECTION_7:
- CommandLine: '*/H*'
- SELECTION_8:
- CommandLine: '*\\\*'
- SELECTION_9:
- Image: '*\adexplorer.exe'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and
- SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8) or (SELECTION_9
- and SELECTION_10 and SELECTION_11 and SELECTION_12)))
-falsepositives:
-- unknown
-id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/26
-references:
-- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
-tags:
-- attack.credential_access
-- attack.t1081
-- attack.t1003
-- attack.t1552.001
-- attack.t1003.003
-yml_filename: win_apt_bear_activity_gtr19.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_bluemashroom.yml b/rules/alert-rules/sigma/win_apt_bluemashroom.yml
deleted file mode 100644
index 675748d9..00000000
--- a/rules/alert-rules/sigma/win_apt_bluemashroom.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: BlueMashroom DLL Load
-author: Florian Roth
-date: 2019/10/02
-description: Detects a suspicious DLL loading from AppData Local path as described
- in BlueMashroom report
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*\AppData\Local\\*'
- SELECTION_3:
- CommandLine: '*\regsvr32*'
- SELECTION_4:
- CommandLine: '*,DllEntry*'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- Unlikely
-id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1117
-- attack.t1218.010
-yml_filename: win_apt_bluemashroom.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_carbonpaper_turla.yml b/rules/alert-rules/sigma/win_apt_carbonpaper_turla.yml
deleted file mode 100644
index 8e06f20f..00000000
--- a/rules/alert-rules/sigma/win_apt_carbonpaper_turla.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Turla Service Install
-author: Florian Roth
-date: 2017/03/31
-description: This method detects a service install of malicious services mentioned
- in Carbon Paper - Turla report by ESET
-detection:
- SELECTION_1:
- EventID: 7045
- SELECTION_2:
- ServiceName: srservice
- SELECTION_3:
- ServiceName: ipvpn
- SELECTION_4:
- ServiceName: hkmsvc
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
-falsepositives:
-- Unknown
-id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
-level: high
-logsource:
- product: windows
- service: system
-references:
-- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
-tags:
-- attack.persistence
-- attack.g0010
-- attack.t1050
-- attack.t1543.003
-yml_filename: win_apt_carbonpaper_turla.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_apt_chafer_mar18_security.yml b/rules/alert-rules/sigma/win_apt_chafer_mar18_security.yml
deleted file mode 100644
index 0dab103b..00000000
--- a/rules/alert-rules/sigma/win_apt_chafer_mar18_security.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Chafer Activity
-author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-date: 2018/03/23
-description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
- in March 2018
-detection:
- SELECTION_1:
- EventID: 4698
- SELECTION_2:
- TaskName: SC Scheduled Scan
- SELECTION_3:
- TaskName: UpdatMachine
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Unknown
-id: c0580559-a6bd-4ef6-b9b7-83703d98b561
-level: critical
-logsource:
- product: windows
- service: security
-modified: 2021/09/19
-references:
-- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
-related:
-- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
- type: derived
-tags:
-- attack.persistence
-- attack.g0049
-- attack.t1053
-- attack.t1053.005
-- attack.s0111
-- attack.t1050
-- attack.t1543.003
-- attack.defense_evasion
-- attack.t1112
-- attack.command_and_control
-- attack.t1071
-- attack.t1071.004
-yml_filename: win_apt_chafer_mar18_security.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_apt_chafer_mar18_system.yml b/rules/alert-rules/sigma/win_apt_chafer_mar18_system.yml
deleted file mode 100644
index 55c22608..00000000
--- a/rules/alert-rules/sigma/win_apt_chafer_mar18_system.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Chafer Activity
-author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-date: 2018/03/23
-description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
- in March 2018
-detection:
- SELECTION_1:
- EventID: 7045
- SELECTION_2:
- ServiceName: SC Scheduled Scan
- SELECTION_3:
- ServiceName: UpdatMachine
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Unknown
-id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
-level: critical
-logsource:
- product: windows
- service: system
-modified: 2021/09/19
-references:
-- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
-tags:
-- attack.persistence
-- attack.g0049
-- attack.t1053
-- attack.t1053.005
-- attack.s0111
-- attack.t1050
-- attack.t1543.003
-- attack.defense_evasion
-- attack.t1112
-- attack.command_and_control
-- attack.t1071
-- attack.t1071.004
-yml_filename: win_apt_chafer_mar18_system.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_apt_cloudhopper.yml b/rules/alert-rules/sigma/win_apt_cloudhopper.yml
deleted file mode 100644
index 3f35033b..00000000
--- a/rules/alert-rules/sigma/win_apt_cloudhopper.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: WMIExec VBS Script
-author: Florian Roth
-date: 2017/04/07
-description: Detects suspicious file execution by wscript and cscript
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\cscript.exe'
- SELECTION_3:
- CommandLine: '*.vbs*'
- SELECTION_4:
- CommandLine: '*/shell*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unlikely
-fields:
-- CommandLine
-- ParentCommandLine
-id: 966e4016-627f-44f7-8341-f394905c361f
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
-tags:
-- attack.execution
-- attack.g0045
-- attack.t1064
-- attack.t1059.005
-yml_filename: win_apt_cloudhopper.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_dragonfly.yml b/rules/alert-rules/sigma/win_apt_dragonfly.yml
deleted file mode 100644
index 58c09c47..00000000
--- a/rules/alert-rules/sigma/win_apt_dragonfly.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: CrackMapExecWin
-author: Markus Neis
-date: 2018/04/08
-description: Detects CrackMapExecWin Activity as Described by NCSC
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\crackmapexec.exe'
- condition: (SELECTION_1 and (SELECTION_2))
-falsepositives:
-- None
-id: 04d9079e-3905-4b70-ad37-6bdf11304965
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
-status: experimental
-tags:
-- attack.g0035
-yml_filename: win_apt_dragonfly.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_elise.yml b/rules/alert-rules/sigma/win_apt_elise.yml
deleted file mode 100644
index 0591afa2..00000000
--- a/rules/alert-rules/sigma/win_apt_elise.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Elise Backdoor
-author: Florian Roth
-date: 2018/01/31
-description: Detects Elise backdoor acitivty as used by APT32
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: C:\Windows\SysWOW64\cmd.exe
- SELECTION_3:
- CommandLine: '*\Windows\Caches\NavShExt.dll *'
- SELECTION_4:
- CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
-falsepositives:
-- Unknown
-id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/26
-references:
-- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
-status: experimental
-tags:
-- attack.g0030
-- attack.g0050
-- attack.s0081
-- attack.execution
-- attack.t1059
-- attack.t1059.003
-yml_filename: win_apt_elise.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_emissarypanda_sep19.yml b/rules/alert-rules/sigma/win_apt_emissarypanda_sep19.yml
deleted file mode 100644
index f0ad2622..00000000
--- a/rules/alert-rules/sigma/win_apt_emissarypanda_sep19.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Emissary Panda Malware SLLauncher
-author: Florian Roth
-date: 2018/09/03
-description: Detects the execution of DLL side-loading malware used by threat group
- Emissary Panda aka APT27
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*\sllauncher.exe'
- SELECTION_3:
- Image: '*\svchost.exe'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/27
-references:
-- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
-- https://twitter.com/cyb3rops/status/1168863899531132929
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1073
-- attack.t1574.002
-yml_filename: win_apt_emissarypanda_sep19.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_empiremonkey.yml b/rules/alert-rules/sigma/win_apt_empiremonkey.yml
deleted file mode 100644
index 7d0922e0..00000000
--- a/rules/alert-rules/sigma/win_apt_empiremonkey.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Empire Monkey
-author: Markus Neis
-date: 2019/04/02
-description: Detects EmpireMonkey APT reported Activity
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*/i:%APPDATA%\logs.txt scrobj.dll'
- SELECTION_3:
- Image: '*\cutil.exe'
- SELECTION_4:
- Description: Microsoft(C) Registerserver
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- Very Unlikely
-id: 10152a7b-b566-438f-a33c-390b607d1c8d
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/27
-references:
-- https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
-tags:
-- attack.defense_evasion
-- attack.t1218.010
-- attack.t1117
-yml_filename: win_apt_empiremonkey.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_equationgroup_dll_u_load.yml b/rules/alert-rules/sigma/win_apt_equationgroup_dll_u_load.yml
deleted file mode 100644
index f36e3bc7..00000000
--- a/rules/alert-rules/sigma/win_apt_equationgroup_dll_u_load.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Equation Group DLL_U Load
-author: Florian Roth
-date: 2019/03/04
-description: Detects a specific tool and export used by EquationGroup
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\rundll32.exe'
- SELECTION_3:
- CommandLine: '*,dll_u'
- SELECTION_4:
- CommandLine: '* -export dll_u *'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
-falsepositives:
-- Unknown
-id: d465d1d8-27a2-4cca-9621-a800f37cf72e
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/27
-references:
-- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
-- https://securelist.com/apt-slingshot/84312/
-- https://twitter.com/cyb3rops/status/972186477512839170
-tags:
-- attack.g0020
-- attack.defense_evasion
-- attack.t1085
-- attack.t1218.011
-yml_filename: win_apt_equationgroup_dll_u_load.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_evilnum_jul20.yml b/rules/alert-rules/sigma/win_apt_evilnum_jul20.yml
deleted file mode 100644
index 812411c4..00000000
--- a/rules/alert-rules/sigma/win_apt_evilnum_jul20.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: EvilNum Golden Chickens Deployment via OCX Files
-author: Florian Roth
-date: 2020/07/10
-description: Detects Golden Chickens deployment method as used by Evilnum in report
- published in July 2020
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*regsvr32*'
- SELECTION_3:
- CommandLine: '*/s*'
- SELECTION_4:
- CommandLine: '*/i*'
- SELECTION_5:
- CommandLine: '*\AppData\Roaming\\*'
- SELECTION_6:
- CommandLine: '*.ocx*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
- and SELECTION_6)
-falsepositives:
-- Unknown
-id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/27
-references:
-- https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
-- https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1085
-- attack.t1218.011
-yml_filename: win_apt_evilnum_jul20.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_gallium.yml b/rules/alert-rules/sigma/win_apt_gallium.yml
deleted file mode 100644
index b90e46ec..00000000
--- a/rules/alert-rules/sigma/win_apt_gallium.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: GALLIUM Artefacts
-author: Tim Burrell
-date: 2020/02/07
-description: Detects artefacts associated with activity group GALLIUM - Microsoft
- Threat Intelligence Center indicators released in December 2019.
-detection:
- SELECTION_1:
- EventID: 257
- SELECTION_2:
- QNAME: asyspy256.ddns.net
- SELECTION_3:
- QNAME: hotkillmail9sddcc.ddns.net
- SELECTION_4:
- QNAME: rosaf112.ddns.net
- SELECTION_5:
- QNAME: cvdfhjh1231.myftp.biz
- SELECTION_6:
- QNAME: sz2016rose.ddns.net
- SELECTION_7:
- QNAME: dffwescwer4325.myftp.biz
- SELECTION_8:
- QNAME: cvdfhjh1231.ddns.net
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8))
-falsepositives:
-- unknown
-id: 3db10f25-2527-4b79-8d4b-471eb900ee29
-level: high
-logsource:
- product: windows
- service: dns-server
-modified: 2021/09/19
-references:
-- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
-- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
-related:
-- id: 440a56bf-7873-4439-940a-1c8a671073c2
- type: derived
-status: experimental
-tags:
-- attack.credential_access
-- attack.command_and_control
-yml_filename: win_apt_gallium.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_apt_greenbug_may20.yml b/rules/alert-rules/sigma/win_apt_greenbug_may20.yml
deleted file mode 100644
index a7463d71..00000000
--- a/rules/alert-rules/sigma/win_apt_greenbug_may20.yml
+++ /dev/null
@@ -1,79 +0,0 @@
-title: Greenbug Campaign Indicators
-author: Florian Roth
-date: 2020/05/20
-description: Detects tools and process executions as observed in a Greenbug campaign
- in May 2020
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*[Net.CredentialCache]::DefaultCredentials;IEX *'
- SELECTION_11:
- CommandLine: '* -nop -w hidden -c $m=new-object net.webclient;$m*'
- SELECTION_12:
- CommandLine: '*-noninteractive -executionpolicy bypass whoami*'
- SELECTION_13:
- CommandLine: '*-noninteractive -executionpolicy bypass netstat -a*'
- SELECTION_14:
- CommandLine: '*L3NlcnZlcj1*'
- SELECTION_15:
- Image: '*\adobe\Adobe.exe'
- SELECTION_16:
- Image: '*\oracle\local.exe'
- SELECTION_17:
- Image: '*\revshell.exe'
- SELECTION_18:
- Image: '*infopagesbackup\ncat.exe'
- SELECTION_19:
- Image: '*CSIDL_SYSTEM\cmd.exe'
- SELECTION_2:
- CommandLine: '*bitsadmin*'
- SELECTION_20:
- Image: '*\programdata\oracle\java.exe'
- SELECTION_21:
- Image: '*CSIDL_COMMON_APPDATA\comms\comms.exe'
- SELECTION_22:
- Image: '*\Programdata\VMware\Vmware.exe'
- SELECTION_3:
- CommandLine: '*/transfer*'
- SELECTION_4:
- CommandLine: '*CSIDL_APPDATA*'
- SELECTION_5:
- CommandLine: '*CSIDL_SYSTEM_DRIVE*'
- SELECTION_6:
- CommandLine: '*\msf.ps1*'
- SELECTION_7:
- CommandLine: '*8989 -e cmd.exe*'
- SELECTION_8:
- CommandLine: '*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill*'
- SELECTION_9:
- CommandLine: '*-nop -w hidden -c $k=new-object*'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or
- (SELECTION_5) or (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
- or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14)
- or (SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
- or SELECTION_20 or SELECTION_21 or SELECTION_22)))
-falsepositives:
-- Unknown
-id: 3711eee4-a808-4849-8a14-faf733da3612
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/21
-references:
-- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
-status: experimental
-tags:
-- attack.g0049
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-- attack.command_and_control
-- attack.t1105
-- attack.defense_evasion
-- attack.t1036
-- attack.t1036.005
-yml_filename: win_apt_greenbug_may20.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_hafnium.yml b/rules/alert-rules/sigma/win_apt_hafnium.yml
deleted file mode 100644
index 838c72df..00000000
--- a/rules/alert-rules/sigma/win_apt_hafnium.yml
+++ /dev/null
@@ -1,97 +0,0 @@
-title: Exchange Exploitation Activity
-author: Florian Roth
-date: 2021/03/09
-description: Detects activity observed by different researchers to be HAFNIUM group
- activity (or related) on Exchange servers
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*Temp\__output*'
- SELECTION_11:
- CommandLine: '*%TEMP%\execute.bat*'
- SELECTION_12:
- Image: '*Users\Public\opera\Opera_browser.exe'
- SELECTION_13:
- Image: '*Opera_browser.exe'
- SELECTION_14:
- ParentImage: '*\services.exe'
- SELECTION_15:
- ParentImage: '*\svchost.exe'
- SELECTION_16:
- Image: '*\ProgramData\VSPerfMon\\*'
- SELECTION_17:
- CommandLine: '* -t7z *'
- SELECTION_18:
- CommandLine: '*C:\Programdata\pst*'
- SELECTION_19:
- CommandLine: '*\it.zip*'
- SELECTION_2:
- CommandLine: '*attrib*'
- SELECTION_20:
- Image: '*\makecab.exe'
- SELECTION_21:
- CommandLine: '*Microsoft\Exchange Server\\*'
- SELECTION_22:
- CommandLine: '*inetpub\wwwroot*'
- SELECTION_23:
- CommandLine: '*\Temp\xx.bat*'
- SELECTION_24:
- CommandLine: '*Windows\WwanSvcdcs*'
- SELECTION_25:
- CommandLine: '*Windows\Temp\cw.exe*'
- SELECTION_26:
- CommandLine: '*\comsvcs.dll*'
- SELECTION_27:
- CommandLine: '*Minidump*'
- SELECTION_28:
- CommandLine: '*\inetpub\wwwroot*'
- SELECTION_29:
- CommandLine: '*dsquery*'
- SELECTION_3:
- CommandLine: '* +h *'
- SELECTION_30:
- CommandLine: '* -uco *'
- SELECTION_31:
- CommandLine: '*\inetpub\wwwroot*'
- SELECTION_4:
- CommandLine: '* +s *'
- SELECTION_5:
- CommandLine: '* +r *'
- SELECTION_6:
- CommandLine: '*.aspx*'
- SELECTION_7:
- CommandLine: '*schtasks*'
- SELECTION_8:
- CommandLine: '*VSPerfMon*'
- SELECTION_9:
- CommandLine: '*vssadmin list shadows*'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and
- SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9
- and SELECTION_10) or SELECTION_11 or SELECTION_12 or (SELECTION_13 and (SELECTION_14
- or SELECTION_15)) or SELECTION_16 or (SELECTION_17 and SELECTION_18 and SELECTION_19)
- or (SELECTION_20 and (SELECTION_21 or SELECTION_22)) or (SELECTION_23 or SELECTION_24
- or SELECTION_25) or (SELECTION_26 and SELECTION_27 and SELECTION_28) or (SELECTION_29
- and SELECTION_30 and SELECTION_31)))
-falsepositives:
-- Unknown
-id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/03/16
-references:
-- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
-- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
-- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
-- https://twitter.com/GadixCRK/status/1369313704869834753?s=20
-- https://twitter.com/BleepinComputer/status/1372218235949617161
-status: experimental
-tags:
-- attack.persistence
-- attack.t1546
-- attack.t1053
-yml_filename: win_apt_hafnium.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_hurricane_panda.yml b/rules/alert-rules/sigma/win_apt_hurricane_panda.yml
deleted file mode 100644
index 3f167041..00000000
--- a/rules/alert-rules/sigma/win_apt_hurricane_panda.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Hurricane Panda Activity
-author: Florian Roth
-date: 2019/03/04
-description: Detects Hurricane Panda Activity
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*localgroup*'
- SELECTION_3:
- CommandLine: '*admin*'
- SELECTION_4:
- CommandLine: '*/add*'
- SELECTION_5:
- CommandLine: '*\Win64.exe*'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or
- (SELECTION_5)))
-falsepositives:
-- Unknown
-id: 0eb2107b-a596-422e-b123-b389d5594ed7
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
-status: experimental
-tags:
-- attack.privilege_escalation
-- attack.g0009
-- attack.t1068
-yml_filename: win_apt_hurricane_panda.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_judgement_panda_gtr19.yml b/rules/alert-rules/sigma/win_apt_judgement_panda_gtr19.yml
deleted file mode 100644
index d60a1999..00000000
--- a/rules/alert-rules/sigma/win_apt_judgement_panda_gtr19.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-title: Judgement Panda Exfil Activity
-author: Florian Roth
-date: 2019/02/21
-description: Detects Judgement Panda activity as described in Global Threat Report
- 2019 by Crowdstrike
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- Image: C:\Users\Public\7za.exe
- SELECTION_2:
- CommandLine: '*eprod.ldf'
- SELECTION_3:
- CommandLine: '*\ldifde.exe -f -n *'
- SELECTION_4:
- CommandLine: '*\7za.exe a 1.7z *'
- SELECTION_5:
- CommandLine: '*\aaaa\procdump64.exe*'
- SELECTION_6:
- CommandLine: '*\aaaa\netsess.exe*'
- SELECTION_7:
- CommandLine: '*\aaaa\7za.exe*'
- SELECTION_8:
- CommandLine: '*copy .\1.7z \\*'
- SELECTION_9:
- CommandLine: '*copy \\client\c$\aaaa\\*'
- condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) or SELECTION_10))
-falsepositives:
-- unknown
-id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/27
-references:
-- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
-tags:
-- attack.lateral_movement
-- attack.g0010
-- attack.credential_access
-- attack.t1003
-- attack.t1003.001
-- attack.exfiltration
-- attack.t1002
-- attack.t1560.001
-yml_filename: win_apt_judgement_panda_gtr19.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_ke3chang_regadd.yml b/rules/alert-rules/sigma/win_apt_ke3chang_regadd.yml
deleted file mode 100644
index b49cc019..00000000
--- a/rules/alert-rules/sigma/win_apt_ke3chang_regadd.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Ke3chang Registry Key Modifications
-author: Markus Neis, Swisscom
-date: 2020/06/18
-description: Detects Registry modifications performed by Ke3chang malware in campaigns
- running in 2019 and 2020
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*-Property DWORD -name DisableFirstRunCustomize -value 2 -Force*'
- SELECTION_3:
- CommandLine: '*-Property String -name Check_Associations -value*'
- SELECTION_4:
- CommandLine: '*-Property DWORD -name IEHarden -value 0 -Force*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
-falsepositives:
-- Will need to be looked for combinations of those processes
-id: 7b544661-69fc-419f-9a59-82ccc328f205
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
-- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
-status: experimental
-tags:
-- attack.g0004
-- attack.defense_evasion
-- attack.t1089
-- attack.t1562.001
-yml_filename: win_apt_ke3chang_regadd.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_lazarus_activity_apr21.yml b/rules/alert-rules/sigma/win_apt_lazarus_activity_apr21.yml
deleted file mode 100644
index d0ff9a91..00000000
--- a/rules/alert-rules/sigma/win_apt_lazarus_activity_apr21.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Lazarus Activity
-author: Bhabesh Raj
-date: 2021/04/20
-description: Detects different process creation events as described in Malwarebytes's
- threat report on Lazarus group activity
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*mshta*'
- SELECTION_3:
- CommandLine: '*.zip*'
- SELECTION_4:
- ParentImage: C:\Windows\System32\wbem\wmiprvse.exe
- SELECTION_5:
- Image: C:\Windows\System32\mshta.exe
- SELECTION_6:
- ParentImage: '*:\Users\Public\\*'
- SELECTION_7:
- Image: C:\Windows\System32\rundll32.exe
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or ((SELECTION_4) and
- (SELECTION_5)) or ((SELECTION_6) and (SELECTION_7))))
-falsepositives:
-- Should not be any false positives
-id: 4a12fa47-c735-4032-a214-6fab5b120670
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/06/27
-references:
-- https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
-status: experimental
-tags:
-- attack.g0032
-yml_filename: win_apt_lazarus_activity_apr21.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_lazarus_activity_dec20.yml b/rules/alert-rules/sigma/win_apt_lazarus_activity_dec20.yml
deleted file mode 100644
index 8de42e26..00000000
--- a/rules/alert-rules/sigma/win_apt_lazarus_activity_dec20.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: Lazarus Activity
-author: Florian Roth
-date: 2020/12/23
-description: Detects different process creation events as described in various threat
- reports on Lazarus group activity
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*.255 10 C:\ProgramData\\*'
- SELECTION_2:
- CommandLine: '*reg.exe save hklm\sam %temp%\~reg_sam.save*'
- SELECTION_3:
- CommandLine: '*1q2w3e4r@#$@#$@#$*'
- SELECTION_4:
- CommandLine: '* -hp1q2w3e4 *'
- SELECTION_5:
- CommandLine: '*.dat data03 10000 -p *'
- SELECTION_6:
- CommandLine: '*process call create*'
- SELECTION_7:
- CommandLine: '* > %temp%\~*'
- SELECTION_8:
- CommandLine: '*netstat -aon | find *'
- SELECTION_9:
- CommandLine: '* > %temp%\~*'
- condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9) or (SELECTION_10)))
-falsepositives:
-- Overlap with legitimate process activity in some cases (especially selection 3 and
- 4)
-id: 24c4d154-05a4-4b99-b57d-9b977472443a
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/06/27
-references:
-- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
-- https://www.hvs-consulting.de/lazarus-report/
-status: experimental
-tags:
-- attack.g0032
-yml_filename: win_apt_lazarus_activity_dec20.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_lazarus_loader.yml b/rules/alert-rules/sigma/win_apt_lazarus_loader.yml
deleted file mode 100644
index e19c0317..00000000
--- a/rules/alert-rules/sigma/win_apt_lazarus_loader.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-title: Lazarus Loaders
-author: Florian Roth, wagga
-date: 2020/12/23
-description: Detects different loaders as described in various threat reports on Lazarus
- group activity
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*.dat,*'
- SELECTION_11:
- CommandLine: '*.io,*'
- SELECTION_12:
- CommandLine: '*.ini,*'
- SELECTION_13:
- CommandLine: '*.db,*'
- SELECTION_2:
- CommandLine: '*cmd.exe /c *'
- SELECTION_3:
- CommandLine: '* -p 0x*'
- SELECTION_4:
- CommandLine: '*C:\ProgramData\\*'
- SELECTION_5:
- CommandLine: '*C:\RECYCLER\\*'
- SELECTION_6:
- CommandLine: '*rundll32.exe *'
- SELECTION_7:
- CommandLine: '*C:\ProgramData\\*'
- SELECTION_8:
- CommandLine: '*.bin,*'
- SELECTION_9:
- CommandLine: '*.tmp,*'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and (SELECTION_4 or
- SELECTION_5)) or (SELECTION_6 and SELECTION_7 and (SELECTION_8 or SELECTION_9
- or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13))))
-falsepositives:
-- unknown
-id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/06/27
-references:
-- https://www.hvs-consulting.de/lazarus-report/
-- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
-status: experimental
-tags:
-- attack.g0032
-yml_filename: win_apt_lazarus_loader.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_lazarus_session_highjack.yml b/rules/alert-rules/sigma/win_apt_lazarus_session_highjack.yml
deleted file mode 100644
index 45296a64..00000000
--- a/rules/alert-rules/sigma/win_apt_lazarus_session_highjack.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Lazarus Session Highjacker
-author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
-date: 2020/06/03
-description: Detects executables launched outside their default directories as used
- by Lazarus Group (Bluenoroff)
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\msdtc.exe'
- SELECTION_3:
- Image: '*\gpvc.exe'
- SELECTION_4:
- Image: C:\Windows\System32\\*
- SELECTION_5:
- Image: C:\Windows\SysWOW64\\*
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and not ((SELECTION_4
- or SELECTION_5)))
-falsepositives:
-- unknown
-id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1036
-- attack.t1036.005
-yml_filename: win_apt_lazarus_session_highjack.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_mustangpanda.yml b/rules/alert-rules/sigma/win_apt_mustangpanda.yml
deleted file mode 100644
index fc0c5ba8..00000000
--- a/rules/alert-rules/sigma/win_apt_mustangpanda.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-title: Mustang Panda Dropper
-author: Florian Roth, oscd.community
-date: 2019/10/30
-description: Detects specific process parameters as used by Mustang Panda droppers
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- Image: '*Temp\winwsh.exe'
- SELECTION_2:
- CommandLine: '*Temp\wtask.exe /create*'
- SELECTION_3:
- CommandLine: '*%windir:~-3,1%%PUBLIC:~-9,1%*'
- SELECTION_4:
- CommandLine: '*/tn "Security Script *'
- SELECTION_5:
- CommandLine: '*%windir:~-1,1%*'
- SELECTION_6:
- CommandLine: '*/E:vbscript*'
- SELECTION_7:
- CommandLine: '*C:\Users\\*'
- SELECTION_8:
- CommandLine: '*.txt*'
- SELECTION_9:
- CommandLine: '*/F*'
- condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
- or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or SELECTION_10))
-falsepositives:
-- Unlikely
-fields:
-- CommandLine
-- ParentCommandLine
-id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
-- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/
-- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
-status: experimental
-tags:
-- attack.t1587.001
-- attack.resource_development
-yml_filename: win_apt_mustangpanda.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_revil_kaseya.yml b/rules/alert-rules/sigma/win_apt_revil_kaseya.yml
deleted file mode 100644
index 4201e90a..00000000
--- a/rules/alert-rules/sigma/win_apt_revil_kaseya.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-title: REvil Kaseya Incident Malware Patterns
-author: Florian Roth
-date: 2021/07/03
-description: Detects process command line patterns and locations used by REvil group
- in Kaseya incident (can also match on other malware)
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*c:\kworking1\agent.crt*'
- SELECTION_11:
- Image: C:\Windows\MsMpEng.exe
- SELECTION_12:
- Image: C:\Windows\cert.exe
- SELECTION_13:
- Image: C:\kworking\agent.exe
- SELECTION_14:
- Image: C:\kworking1\agent.exe
- SELECTION_2:
- CommandLine: '*C:\Windows\cert.exe*'
- SELECTION_3:
- CommandLine: '*Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem
- $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess
- Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled*'
- SELECTION_4:
- CommandLine: '*del /q /f c:\kworking\agent.crt*'
- SELECTION_5:
- CommandLine: '*Kaseya VSA Agent Hot-fix*'
- SELECTION_6:
- CommandLine: '*\AppData\Local\Temp\MsMpEng.exe*'
- SELECTION_7:
- CommandLine: '*rmdir /s /q %SystemDrive%\inetpub\logs*'
- SELECTION_8:
- CommandLine: '*del /s /q /f %SystemDrive%\\*.log*'
- SELECTION_9:
- CommandLine: '*c:\kworking1\agent.exe*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
- and (SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14))
-falsepositives:
-- Unknown
-id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/07/05
-references:
-- https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
-- https://www.joesandbox.com/analysis/443736/0/html
-- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
-- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
-- https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
-status: experimental
-tags:
-- attack.execution
-- attack.g0115
-yml_filename: win_apt_revil_kaseya.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_slingshot.yml b/rules/alert-rules/sigma/win_apt_slingshot.yml
deleted file mode 100644
index cae98618..00000000
--- a/rules/alert-rules/sigma/win_apt_slingshot.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Defrag Deactivation
-author: Florian Roth, Bartlomiej Czyz (@bczyz1)
-date: 2019/03/04
-description: Detects the deactivation and disabling of the Scheduled defragmentation
- task as seen by Slingshot APT group
-detection:
- SELECTION_1:
- EventID: 4701
- SELECTION_2:
- TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Unknown
-id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
-level: medium
-logsource:
- definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
- product: windows
- service: security
-modified: 2021/09/19
-references:
-- https://securelist.com/apt-slingshot/84312/
-related:
-- id: 958d81aa-8566-4cea-a565-59ccd4df27b0
- type: derived
-tags:
-- attack.persistence
-- attack.s0111
-yml_filename: win_apt_slingshot.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_apt_sofacy.yml b/rules/alert-rules/sigma/win_apt_sofacy.yml
deleted file mode 100644
index af1ebff6..00000000
--- a/rules/alert-rules/sigma/win_apt_sofacy.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Sofacy Trojan Loader Activity
-author: Florian Roth, Jonhnathan Ribeiro, oscd.community
-date: 2018/03/01
-description: Detects Trojan loader acitivty as used by APT28
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*rundll32.exe*'
- SELECTION_3:
- CommandLine: '*%APPDATA%\\*'
- SELECTION_4:
- CommandLine: '*.dat",*'
- SELECTION_5:
- CommandLine: '*.dll",#1'
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and (SELECTION_4 or
- SELECTION_5))
-falsepositives:
-- Unknown
-id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/11/28
-references:
-- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
-- https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
-- https://twitter.com/ClearskySec/status/960924755355369472
-status: experimental
-tags:
-- attack.g0007
-- attack.execution
-- attack.t1059
-- attack.t1059.003
-- attack.defense_evasion
-- attack.t1085
-- car.2013-10-002
-- attack.t1218.011
-yml_filename: win_apt_sofacy.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_stonedrill.yml b/rules/alert-rules/sigma/win_apt_stonedrill.yml
deleted file mode 100644
index aaa03e5c..00000000
--- a/rules/alert-rules/sigma/win_apt_stonedrill.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: StoneDrill Service Install
-author: Florian Roth
-date: 2017/03/07
-description: This method detects a service install of the malicious Microsoft Network
- Realtime Inspection Service service described in StoneDrill report by Kaspersky
-detection:
- SELECTION_1:
- EventID: 7045
- SELECTION_2:
- ServiceName: NtsSrv
- SELECTION_3:
- ServiceFileName: '* LocalService'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unlikely
-id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
-level: high
-logsource:
- product: windows
- service: system
-references:
-- https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
-tags:
-- attack.persistence
-- attack.g0064
-- attack.t1050
-- attack.t1543.003
-yml_filename: win_apt_stonedrill.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_apt_ta17_293a_ps.yml b/rules/alert-rules/sigma/win_apt_ta17_293a_ps.yml
deleted file mode 100644
index 90437f54..00000000
--- a/rules/alert-rules/sigma/win_apt_ta17_293a_ps.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Ps.exe Renamed SysInternals Tool
-author: Florian Roth
-date: 2017/10/22
-description: Detects renamed SysInternals tool execution with a binary named ps.exe
- as used by Dragonfly APT group and documented in TA17-293A report
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: ps.exe -accepteula
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Renamed SysInternals tool
-id: 18da1007-3f26-470f-875d-f77faf1cab31
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/27
-references:
-- https://www.us-cert.gov/ncas/alerts/TA17-293A
-tags:
-- attack.defense_evasion
-- attack.g0035
-- attack.t1036
-- attack.t1036.003
-- car.2013-05-009
-yml_filename: win_apt_ta17_293a_ps.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_ta505_dropper.yml b/rules/alert-rules/sigma/win_apt_ta505_dropper.yml
deleted file mode 100644
index cf68abca..00000000
--- a/rules/alert-rules/sigma/win_apt_ta505_dropper.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: TA505 Dropper Load Pattern
-author: Florian Roth
-date: 2020/12/08
-description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious
- documents
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\mshta.exe'
- SELECTION_3:
- ParentImage: '*\wmiprvse.exe'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- unknown
-id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://twitter.com/ForensicITGuy/status/1334734244120309760
-status: experimental
-tags:
-- attack.execution
-- attack.g0092
-yml_filename: win_apt_ta505_dropper.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_taidoor.yml b/rules/alert-rules/sigma/win_apt_taidoor.yml
deleted file mode 100644
index f2f905c2..00000000
--- a/rules/alert-rules/sigma/win_apt_taidoor.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: TAIDOOR RAT DLL Load
-author: Florian Roth
-date: 2020/07/30
-description: Detects specific process characteristics of Chinese TAIDOOR RAT malware
- load
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*dll,MyStart*'
- SELECTION_3:
- CommandLine: '*dll MyStart*'
- SELECTION_4:
- EventID: 1
- SELECTION_5:
- CommandLine: '* MyStart'
- SELECTION_6:
- CommandLine: '*rundll32.exe*'
- condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and
- (SELECTION_5) and (SELECTION_6))))
-falsepositives:
-- Unknown
-id: d1aa3382-abab-446f-96ea-4de52908210b
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
-status: experimental
-tags:
-- attack.execution
-- attack.t1055
-- attack.t1055.001
-yml_filename: win_apt_taidoor.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_tropictrooper.yml b/rules/alert-rules/sigma/win_apt_tropictrooper.yml
deleted file mode 100644
index 6335273a..00000000
--- a/rules/alert-rules/sigma/win_apt_tropictrooper.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: TropicTrooper Campaign November 2018
-author: '@41thexplorer, Microsoft Defender ATP'
-date: 2019/11/12
-description: Detects TropicTrooper activity, an actor who targeted high-profile organizations
- in the energy and food and beverage sectors in Asia
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
- condition: (SELECTION_1 and SELECTION_2)
-id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/27
-references:
-- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
-status: stable
-tags:
-- attack.execution
-- attack.t1059
-- attack.t1059.001
-yml_filename: win_apt_tropictrooper.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_turla_comrat_may20.yml b/rules/alert-rules/sigma/win_apt_turla_comrat_may20.yml
deleted file mode 100644
index b528745e..00000000
--- a/rules/alert-rules/sigma/win_apt_turla_comrat_may20.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Turla Group Commands May 2020
-author: Florian Roth
-date: 2020/05/26
-description: Detects commands used by Turla group as reported by ESET in May 2020
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*tracert -h 10 yahoo.com*'
- SELECTION_3:
- CommandLine: '*.WSqmCons))|iex;*'
- SELECTION_4:
- CommandLine: '*Fr`omBa`se6`4Str`ing*'
- SELECTION_5:
- CommandLine: '*net use https://docs.live.net*'
- SELECTION_6:
- CommandLine: '*@aol.co.uk*'
- condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4) or (SELECTION_5
- and SELECTION_6)))
-falsepositives:
-- Unknown
-id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/27
-references:
-- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
-status: experimental
-tags:
-- attack.g0010
-- attack.execution
-- attack.t1086
-- attack.t1059.001
-- attack.t1053
-- attack.t1053.005
-- attack.t1027
-yml_filename: win_apt_turla_comrat_may20.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_turla_service_png.yml b/rules/alert-rules/sigma/win_apt_turla_service_png.yml
deleted file mode 100644
index ed1a0b1d..00000000
--- a/rules/alert-rules/sigma/win_apt_turla_service_png.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Turla PNG Dropper Service
-author: Florian Roth
-date: 2018/11/23
-description: This method detects malicious services mentioned in Turla PNG dropper
- report by NCC Group in November 2018
-detection:
- SELECTION_1:
- EventID: 7045
- SELECTION_2:
- ServiceName: WerFaultSvc
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unlikely
-id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
-level: critical
-logsource:
- product: windows
- service: system
-references:
-- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
-tags:
-- attack.persistence
-- attack.g0010
-- attack.t1050
-- attack.t1543.003
-yml_filename: win_apt_turla_service_png.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_apt_unc2452_cmds.yml b/rules/alert-rules/sigma/win_apt_unc2452_cmds.yml
deleted file mode 100644
index 155b4b3f..00000000
--- a/rules/alert-rules/sigma/win_apt_unc2452_cmds.yml
+++ /dev/null
@@ -1,61 +0,0 @@
-title: UNC2452 Process Creation Patterns
-author: Florian Roth
-date: 2021/01/22
-description: Detects a specific process creation patterns as seen used by UNC2452
- and provided by Microsoft as Microsoft Defender ATP queries
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*cmd.exe /C *'
- SELECTION_11:
- CommandLine: '*rundll32 c:\windows\\*'
- SELECTION_12:
- CommandLine: '*.dll *'
- SELECTION_13:
- EventID: 1
- SELECTION_14:
- ParentImage: '*\rundll32.exe'
- SELECTION_15:
- Image: '*\dllhost.exe'
- SELECTION_16:
- CommandLine: ' '
- SELECTION_17:
- CommandLine: ''
- SELECTION_2:
- CommandLine: '*7z.exe a -v500m -mx9 -r0 -p*'
- SELECTION_3:
- ParentCommandLine: '*wscript.exe*'
- SELECTION_4:
- ParentCommandLine: '*.vbs*'
- SELECTION_5:
- CommandLine: '*rundll32.exe*'
- SELECTION_6:
- CommandLine: '*C:\Windows*'
- SELECTION_7:
- CommandLine: '*.dll,Tk_*'
- SELECTION_8:
- ParentImage: '*\rundll32.exe'
- SELECTION_9:
- ParentCommandLine: '*C:\Windows*'
- condition: (SELECTION_1 and (((((SELECTION_2) or (SELECTION_3 and SELECTION_4
- and SELECTION_5 and SELECTION_6 and SELECTION_7)) or (SELECTION_8 and SELECTION_9
- and SELECTION_10)) or (SELECTION_11 and SELECTION_12)) or (SELECTION_13 and
- (SELECTION_14 and SELECTION_15) and not ((SELECTION_16 or SELECTION_17)))))
-falsepositives:
-- Unknown
-id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/06/27
-references:
-- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-yml_filename: win_apt_unc2452_cmds.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_unc2452_ps.yml b/rules/alert-rules/sigma/win_apt_unc2452_ps.yml
deleted file mode 100644
index 434d4916..00000000
--- a/rules/alert-rules/sigma/win_apt_unc2452_ps.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: UNC2452 PowerShell Pattern
-author: Florian Roth
-date: 2021/01/20
-description: Detects a specific PowerShell command line pattern used by the UNC2452
- actors as mentioned in Microsoft and Symantec reports
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*Invoke-WMIMethod win32_process -name create -argumentlist*'
- SELECTION_3:
- CommandLine: '*rundll32 c:\windows*'
- SELECTION_4:
- CommandLine: '*wmic /node:*'
- SELECTION_5:
- CommandLine: '*process call create "rundll32 c:\windows*'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
- SELECTION_5)))
-falsepositives:
-- Unknown, unlikely, but possible
-id: b7155193-8a81-4d8f-805d-88de864ca50c
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/01/22
-references:
-- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
-- https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1047
-yml_filename: win_apt_unc2452_ps.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_unidentified_nov_18.yml b/rules/alert-rules/sigma/win_apt_unidentified_nov_18.yml
deleted file mode 100644
index b8506e3e..00000000
--- a/rules/alert-rules/sigma/win_apt_unidentified_nov_18.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Unidentified Attacker November 2018
-author: '@41thexplorer, Microsoft Defender ATP'
-date: 2018/11/20
-description: A sigma rule detecting an unidetefied attacker who used phishing emails
- to target high profile orgs on November 2018. The Actor shares some TTPs with
- YYTRIUM/APT29 campaign in 2016.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*cyzfc.dat,*'
- SELECTION_3:
- CommandLine: '*PointFunctionCall'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-id: 7453575c-a747-40b9-839b-125a0aae324b
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/19
-references:
-- https://twitter.com/DrunkBinary/status/1063075530180886529
-status: stable
-tags:
-- attack.execution
-- attack.t1218.011
-- attack.t1085
-yml_filename: win_apt_unidentified_nov_18.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_winnti_mal_hk_jan20.yml b/rules/alert-rules/sigma/win_apt_winnti_mal_hk_jan20.yml
deleted file mode 100644
index 33329023..00000000
--- a/rules/alert-rules/sigma/win_apt_winnti_mal_hk_jan20.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-title: Winnti Malware HK University Campaign
-author: Florian Roth, Markus Neis
-date: 2020/02/01
-description: Detects specific process characteristics of Winnti malware noticed in
- Dec/Jan 2020 in a campaign against Honk Kong universities
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- ParentImage: C:\ProgramData\DRM\Windows*
- SELECTION_11:
- Image: '*\SearchFilterHost.exe'
- SELECTION_2:
- ParentImage: '*C:\Windows\Temp*'
- SELECTION_3:
- ParentImage: '*\hpqhvind.exe*'
- SELECTION_4:
- Image: C:\ProgramData\DRM*
- SELECTION_5:
- ParentImage: C:\ProgramData\DRM*
- SELECTION_6:
- Image: '*\wmplayer.exe'
- SELECTION_7:
- ParentImage: '*\Test.exe'
- SELECTION_8:
- Image: '*\wmplayer.exe'
- SELECTION_9:
- Image: C:\ProgramData\DRM\CLR\CLR.exe
- condition: (SELECTION_1 and (((SELECTION_2 or SELECTION_3) and SELECTION_4) or
- (SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8) or SELECTION_9
- or (SELECTION_10 and SELECTION_11)))
-falsepositives:
-- Unlikely
-id: 3121461b-5aa0-4a41-b910-66d25524edbb
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1574.002
-- attack.t1073
-- attack.g0044
-yml_filename: win_apt_winnti_mal_hk_jan20.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_winnti_pipemon.yml b/rules/alert-rules/sigma/win_apt_winnti_pipemon.yml
deleted file mode 100644
index 62bcc8a2..00000000
--- a/rules/alert-rules/sigma/win_apt_winnti_pipemon.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Winnti Pipemon Characteristics
-author: Florian Roth, oscd.community
-date: 2020/07/30
-description: Detects specific process characteristics of Winnti Pipemon malware reported
- by ESET
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*setup0.exe -p*'
- SELECTION_3:
- CommandLine: '*setup.exe*'
- SELECTION_4:
- CommandLine: '*-x:0'
- SELECTION_5:
- CommandLine: '*-x:1'
- SELECTION_6:
- CommandLine: '*-x:2'
- condition: (SELECTION_1 and ((SELECTION_2) or (SELECTION_3 and (SELECTION_4 or
- SELECTION_5 or SELECTION_6))))
-falsepositives:
-- Legitimate setups that use similar flags
-id: 73d70463-75c9-4258-92c6-17500fe972f2
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1574.002
-- attack.t1073
-- attack.g0044
-yml_filename: win_apt_winnti_pipemon.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_apt_wocao.yml b/rules/alert-rules/sigma/win_apt_wocao.yml
deleted file mode 100644
index 422a5bd2..00000000
--- a/rules/alert-rules/sigma/win_apt_wocao.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Operation Wocao Activity
-author: Florian Roth, frack113
-date: 2019/12/20
-description: Detects activity mentioned in Operation Wocao report
-detection:
- SELECTION_1:
- EventID: 4799
- SELECTION_2:
- TargetUserName: Administr*
- SELECTION_3:
- CallerProcessName: '*\checkadmin.exe'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Administrators that use checkadmin.exe tool to enumerate local administrators
-id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
-level: high
-logsource:
- product: windows
- service: security
-modified: 2021/09/19
-references:
-- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
-- https://twitter.com/SBousseaden/status/1207671369963646976
-status: experimental
-tags:
-- attack.discovery
-- attack.t1012
-- attack.defense_evasion
-- attack.t1036.004
-- attack.t1036
-- attack.t1027
-- attack.execution
-- attack.t1053.005
-- attack.t1053
-- attack.t1059.001
-- attack.t1086
-yml_filename: win_apt_wocao.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_apt_zxshell.yml b/rules/alert-rules/sigma/win_apt_zxshell.yml
deleted file mode 100644
index 5971c263..00000000
--- a/rules/alert-rules/sigma/win_apt_zxshell.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: ZxShell Malware
-author: Florian Roth, oscd.community, Jonhnathan Ribeiro
-date: 2017/07/20
-description: Detects a ZxShell start by the called and well-known function name
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\rundll32.exe'
- SELECTION_3:
- CommandLine: '*zxFunction*'
- SELECTION_4:
- CommandLine: '*RemoteDiskXXXXX*'
- condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3 or SELECTION_4))
-falsepositives:
-- Unlikely
-fields:
-- CommandLine
-- ParentCommandLine
-id: f0b70adb-0075-43b0-9745-e82a1c608fcc
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/26
-references:
-- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
-tags:
-- attack.execution
-- attack.t1059.003
-- attack.t1059
-- attack.defense_evasion
-- attack.t1218.011
-- attack.t1085
-- attack.s0412
-- attack.g0001
-yml_filename: win_apt_zxshell.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/alert-rules/sigma/win_arbitrary_shell_execution_via_settingcontent.yml
deleted file mode 100644
index 51ad235f..00000000
--- a/rules/alert-rules/sigma/win_arbitrary_shell_execution_via_settingcontent.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Arbitrary Shell Command Execution Via Settingcontent-Ms
-author: Sreeman
-date: 2020/03/13
-description: The .SettingContent-ms file type was introduced in Windows 10 and allows
- a user to create "shortcuts" to various Windows 10 setting pages. These files
- are simply XML and contain paths to various Windows 10 settings binaries.
-detection:
- SELECTION_1:
- CommandLine: '*.SettingContent-ms*'
- SELECTION_2:
- FilePath: '*immersivecontrolpanel*'
- condition: (SELECTION_1 and not (SELECTION_2))
-falsepositives:
-- unknown
-fields:
-- ParentProcess
-- CommandLine
-- ParentCommandLine
-id: 24de4f3b-804c-4165-b442-5a06a2302c7e
-level: medium
-logsource:
- product: windows
- service: security
-modified: 2021/08/09
-references:
-- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
-tags:
-- attack.t1204
-- attack.t1193
-- attack.t1566.001
-- attack.execution
-- attack.initial_access
-yml_filename: win_arbitrary_shell_execution_via_settingcontent.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_asr_bypass_via_appvlp_re.yml b/rules/alert-rules/sigma/win_asr_bypass_via_appvlp_re.yml
deleted file mode 100644
index ee61a3a3..00000000
--- a/rules/alert-rules/sigma/win_asr_bypass_via_appvlp_re.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Using AppVLP To Circumvent ASR File Path Rule
-author: Sreeman
-date: 2020/03/13
-description: "Application Virtualization Utility is included with Microsoft Office.We\
- \ are able to abuse \u201CAppVLP\u201D to execute shell commands. Normally, this\
- \ binary is used for Application Virtualization, but we can use it as an abuse\
- \ binary to circumvent the ASR file path rule folder or to mark a file as a system\
- \ file"
-detection:
- SELECTION_1:
- CommandLine|re: (?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)
- condition: SELECTION_1
-falsepositives:
-- unknown
-fields:
-- ParentProcess
-- CommandLine
-- ParentCommandLine
-id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
-level: medium
-logsource:
- product: windows
- service: security
-modified: 2021/06/11
-status: experimental
-tags:
-- attack.t1218
-- attack.defense_evasion
-- attack.execution
-yml_filename: win_asr_bypass_via_appvlp_re.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_atsvc_task.yml b/rules/alert-rules/sigma/win_atsvc_task.yml
deleted file mode 100644
index ff1cf64f..00000000
--- a/rules/alert-rules/sigma/win_atsvc_task.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Remote Task Creation via ATSVC Named Pipe
-author: Samir Bousseaden
-date: 2019/04/03
-description: Detects remote task creation via at.exe or API interacting with ATSVC
- namedpipe
-detection:
- SELECTION_1:
- EventID: 5145
- SELECTION_2:
- ShareName: \\*\IPC$
- SELECTION_3:
- RelativeTargetName: atsvc
- SELECTION_4:
- Accesses: '*WriteData*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- pentesting
-id: f6de6525-4509-495a-8a82-1f8b0ed73a00
-level: medium
-logsource:
- definition: The advanced audit policy setting "Object Access > Audit Detailed
- File Share" must be configured for Success/Failure
- product: windows
- service: security
-references:
-- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
-tags:
-- attack.lateral_movement
-- attack.persistence
-- attack.t1053
-- car.2013-05-004
-- car.2015-04-001
-- attack.t1053.002
-yml_filename: win_atsvc_task.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_attrib_hiding_files.yml b/rules/alert-rules/sigma/win_attrib_hiding_files.yml
deleted file mode 100644
index a1ec7081..00000000
--- a/rules/alert-rules/sigma/win_attrib_hiding_files.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Hiding Files with Attrib.exe
-author: Sami Ruohonen
-date: 2019/01/16
-description: Detects usage of attrib.exe to hide files from users.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\attrib.exe'
- SELECTION_3:
- CommandLine: '* +h *'
- SELECTION_4:
- EventID: 1
- SELECTION_5:
- CommandLine: '*\desktop.ini *'
- SELECTION_6:
- ParentImage: '*\cmd.exe'
- SELECTION_7:
- CommandLine: +R +H +S +A \\*.cui
- SELECTION_8:
- ParentCommandLine: C:\WINDOWS\system32\\*.bat
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4
- and (SELECTION_5 or (SELECTION_6 and SELECTION_7 and SELECTION_8)))))
-falsepositives:
-- igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe
- and igfxCUIService.exe is the parent of the cmd.exe)
-- msiexec.exe hiding desktop.ini
-fields:
-- CommandLine
-- ParentCommandLine
-- User
-id: 4281cb20-2994-4580-aa63-c8b86d019934
-level: low
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/27
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1564.001
-- attack.t1158
-yml_filename: win_attrib_hiding_files.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_audit_cve.yml b/rules/alert-rules/sigma/win_audit_cve.yml
deleted file mode 100644
index 0732d3a6..00000000
--- a/rules/alert-rules/sigma/win_audit_cve.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Audit CVE Event
-author: Florian Roth
-date: 2020/01/15
-description: Detects events generated by Windows to indicate the exploitation of a
- known vulnerability (e.g. CVE-2020-0601)
-detection:
- SELECTION_1:
- Provider_Name: Microsoft-Windows-Audit-CVE
- condition: SELECTION_1
-falsepositives:
-- Unknown
-id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
-level: critical
-logsource:
- product: windows
- service: application
-modified: 2021/10/13
-references:
-- https://twitter.com/mattifestation/status/1217179698008068096
-- https://twitter.com/VM_vivisector/status/1217190929330655232
-- https://twitter.com/davisrichardg/status/1217517547576348673
-- https://twitter.com/DidierStevens/status/1217533958096924676
-- https://twitter.com/FlemmingRiis/status/1217147415482060800
-status: experimental
-tags:
-- attack.execution
-- attack.t1203
-- attack.privilege_escalation
-- attack.t1068
-- attack.defense_evasion
-- attack.t1211
-- attack.credential_access
-- attack.t1212
-- attack.lateral_movement
-- attack.t1210
-- attack.impact
-- attack.t1499.004
-yml_filename: win_audit_cve.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_av_relevant_match.yml b/rules/alert-rules/sigma/win_av_relevant_match.yml
deleted file mode 100644
index 19fc860a..00000000
--- a/rules/alert-rules/sigma/win_av_relevant_match.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-title: Relevant Anti-Virus Event
-author: Florian Roth
-date: 2017/02/19
-description: This detection method points out highly relevant Antivirus events
-detection:
- condition: ((HTool- or Hacktool or ASP/Backdoor or JSP/Backdoor or PHP/Backdoor
- or Backdoor.ASP or Backdoor.JSP or Backdoor.PHP or Webshell or Portscan or
- Mimikatz or WinCred or PlugX or Korplug or Pwdump or Chopper or WmiExec or
- Xscan or Clearlog or ASPXSpy) and not (Keygen or Crack))
-falsepositives:
-- Some software piracy tools (key generators, cracks) are classified as hack tools
-id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
-level: high
-logsource:
- product: windows
- service: application
-modified: 2021/07/28
-tags:
-- attack.resource_development
-- attack.t1588
-yml_filename: win_av_relevant_match.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_bad_opsec_sacrificial_processes.yml b/rules/alert-rules/sigma/win_bad_opsec_sacrificial_processes.yml
deleted file mode 100644
index 6dfb2282..00000000
--- a/rules/alert-rules/sigma/win_bad_opsec_sacrificial_processes.yml
+++ /dev/null
@@ -1,66 +0,0 @@
-title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
-author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian
- Burkard
-date: 2020/10/23
-description: Detects attackers using tooling with bad opsec defaults e.g. spawning
- a sacrificial process to inject a capability into the process without taking into
- account how the process is normally run, one trivial example of this is using
- rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted
- by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and
- other examples.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- Image: '*\regsvr32.exe'
- SELECTION_11:
- CommandLine: '*\regsvr32.exe'
- SELECTION_2:
- Image: '*\WerFault.exe'
- SELECTION_3:
- CommandLine: '*\WerFault.exe'
- SELECTION_4:
- Image: '*\rundll32.exe'
- SELECTION_5:
- CommandLine: '*\rundll32.exe'
- SELECTION_6:
- Image: '*\regsvcs.exe'
- SELECTION_7:
- CommandLine: '*\regsvcs.exe'
- SELECTION_8:
- Image: '*\regasm.exe'
- SELECTION_9:
- CommandLine: '*\regasm.exe'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
- SELECTION_5) or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9)
- or (SELECTION_10 and SELECTION_11)))
-falsepositives:
-- Unlikely
-fields:
-- ParentImage
-- ParentCommandLine
-id: a7c3d773-caef-227e-a7e7-c2f13c622329
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/09/01
-references:
-- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
-- https://www.cobaltstrike.com/help-opsec
-- https://twitter.com/CyberRaiju/status/1251492025678983169
-- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
-- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
-- https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
-- https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback
-related:
-- id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
- type: obsoletes
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1085
-- attack.t1218.011
-yml_filename: win_bad_opsec_sacrificial_processes.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_bootconf_mod.yml b/rules/alert-rules/sigma/win_bootconf_mod.yml
deleted file mode 100644
index 75ad288f..00000000
--- a/rules/alert-rules/sigma/win_bootconf_mod.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: Modification of Boot Configuration
-author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
-date: 2019/10/24
-description: Identifies use of the bcdedit command to delete boot configuration data.
- This tactic is sometimes used as by malware or an attacker as a destructive technique.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\bcdedit.exe'
- SELECTION_3:
- CommandLine: '*set*'
- SELECTION_4:
- CommandLine: '*bootstatuspolicy*'
- SELECTION_5:
- CommandLine: '*ignoreallfailures*'
- SELECTION_6:
- CommandLine: '*recoveryenabled*'
- SELECTION_7:
- CommandLine: '*no*'
- condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and ((SELECTION_4 and
- SELECTION_5) or (SELECTION_6 and SELECTION_7)))
-falsepositives:
-- Unlikely
-fields:
-- ComputerName
-- User
-- CommandLine
-id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2019/11/11
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
-- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
-status: experimental
-tags:
-- attack.impact
-- attack.t1490
-yml_filename: win_bootconf_mod.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_bypass_squiblytwo.yml b/rules/alert-rules/sigma/win_bypass_squiblytwo.yml
deleted file mode 100644
index c1b59f98..00000000
--- a/rules/alert-rules/sigma/win_bypass_squiblytwo.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-title: SquiblyTwo
-author: Markus Neis / Florian Roth
-date: 2019/01/16
-description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for
- imphash
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*http*'
- SELECTION_3:
- Image: '*\wmic.exe'
- SELECTION_4:
- CommandLine: '*wmic*'
- SELECTION_5:
- CommandLine: '*format*'
- SELECTION_6:
- Imphash: 1B1A3F43BF37B5BFE60751F2EE2F326E
- SELECTION_7:
- Imphash: 37777A96245A3C74EB217308F3546F4C
- SELECTION_8:
- Imphash: 9D87C9D67CE724033C0B40CC4CA1B206
- SELECTION_9:
- CommandLine: '*format:*'
- condition: (SELECTION_1 and SELECTION_2 and (((SELECTION_3) and SELECTION_4 and
- SELECTION_5) or ((SELECTION_6 or SELECTION_7 or SELECTION_8) and SELECTION_9)))
-falsepositives:
-- Unknown
-id: 8d63dadf-b91b-4187-87b6-34a1114577ea
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/27
-references:
-- https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
-- https://twitter.com/mattifestation/status/986280382042595328
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1047
-- attack.t1220
-- attack.execution
-- attack.t1059.005
-- attack.t1059.007
-- attack.t1059
-yml_filename: win_bypass_squiblytwo.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_camera_microphone_access.yml b/rules/alert-rules/sigma/win_camera_microphone_access.yml
deleted file mode 100644
index 60f58718..00000000
--- a/rules/alert-rules/sigma/win_camera_microphone_access.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Processes Accessing the Microphone and Webcam
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/06/07
-description: Potential adversaries accessing the microphone and webcam in an endpoint.
-detection:
- SELECTION_1:
- EventID: 4657
- SELECTION_2:
- EventID: 4656
- SELECTION_3:
- EventID: 4663
- SELECTION_4:
- ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*'
- SELECTION_5:
- ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
-falsepositives:
-- Unknown
-id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
-level: medium
-logsource:
- product: windows
- service: security
-references:
-- https://twitter.com/duzvik/status/1269671601852813320
-- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
-status: experimental
-tags:
-- attack.collection
-- attack.t1123
-yml_filename: win_camera_microphone_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_change_default_file_association.yml b/rules/alert-rules/sigma/win_change_default_file_association.yml
deleted file mode 100644
index d79d3fa9..00000000
--- a/rules/alert-rules/sigma/win_change_default_file_association.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Change Default File Association
-author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
-description: When a file is opened, the default program used to open the file (also
- called the file association or handler) is checked. File association selections
- are stored in the Windows Registry and can be edited by users, administrators,
- or programs that have Registry access or by administrators using the built-in
- assoc utility. Applications can modify the file association for a given file extension
- to call an arbitrary program when a file with the given extension is opened.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*cmd*'
- SELECTION_3:
- CommandLine: '*/c*'
- SELECTION_4:
- CommandLine: '*assoc*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Admin activity
-fields:
-- Image
-- CommandLine
-- User
-- LogonGuid
-- Hashes
-- ParentProcessGuid
-- ParentCommandLine
-id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
-level: low
-logsource:
- category: process_creation
- product: windows
-modified: 2019/11/04
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md
-status: experimental
-tags:
-- attack.persistence
-- attack.t1546.001
-- attack.t1042
-yml_filename: win_change_default_file_association.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_cl_invocation_lolscript.yml b/rules/alert-rules/sigma/win_cl_invocation_lolscript.yml
deleted file mode 100644
index 7b10c067..00000000
--- a/rules/alert-rules/sigma/win_cl_invocation_lolscript.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Execution via CL_Invocation.ps1
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*CL_Invocation.ps1*'
- SELECTION_3:
- CommandLine: '*SyncInvoke*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: a0459f02-ac51-4c09-b511-b8c9203fc429
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/05/21
-references:
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
-- https://twitter.com/bohops/status/948061991012327424
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1216
-yml_filename: win_cl_invocation_lolscript.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_cl_mutexverifiers_lolscript.yml b/rules/alert-rules/sigma/win_cl_mutexverifiers_lolscript.yml
deleted file mode 100644
index 29f00f62..00000000
--- a/rules/alert-rules/sigma/win_cl_mutexverifiers_lolscript.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Execution via CL_Mutexverifiers.ps1
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
- module
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*CL_Mutexverifiers.ps1*'
- SELECTION_3:
- CommandLine: '*runAfterCancelProcess*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 99465c8f-f102-4157-b11c-b0cddd53b79a
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/05/21
-references:
-- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
-- https://twitter.com/pabraeken/status/995111125447577600
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1216
-yml_filename: win_cl_mutexverifiers_lolscript.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_class_exec_xwizard.yml b/rules/alert-rules/sigma/win_class_exec_xwizard.yml
deleted file mode 100644
index f315b380..00000000
--- a/rules/alert-rules/sigma/win_class_exec_xwizard.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Custom Class Execution via Xwizard
-author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative"
-date: 2020/10/07
-description: Detects the execution of Xwizard tool with specific arguments which utilized
- to run custom class properties.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\xwizard.exe'
- SELECTION_3:
- CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff
-level: medium
-logsource:
- category: process_creation
- product: windows
-references:
-- https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1218
-yml_filename: win_class_exec_xwizard.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_cmdkey_recon.yml b/rules/alert-rules/sigma/win_cmdkey_recon.yml
deleted file mode 100644
index 99819ef8..00000000
--- a/rules/alert-rules/sigma/win_cmdkey_recon.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Cmdkey Cached Credentials Recon
-author: jmallette
-date: 2019/01/16
-description: Detects usage of cmdkey to look for cached credentials
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\cmdkey.exe'
- SELECTION_3:
- CommandLine: '* /list*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Legitimate administrative tasks
-fields:
-- CommandLine
-- ParentCommandLine
-- User
-id: 07f8bdc2-c9b3-472a-9817-5a670b872f53
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/07/07
-references:
-- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
-- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003.005
-- attack.t1003
-yml_filename: win_cmdkey_recon.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_cmstp_com_object_access.yml b/rules/alert-rules/sigma/win_cmstp_com_object_access.yml
deleted file mode 100644
index b9dbbdaf..00000000
--- a/rules/alert-rules/sigma/win_cmstp_com_object_access.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-title: CMSTP UAC Bypass via COM Object Access
-author: Nik Seetharaman, Christian Burkard
-date: 2021/08/31
-description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile
- Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*\DllHost.exe'
- SELECTION_3:
- IntegrityLevel: High
- SELECTION_4:
- IntegrityLevel: System
- SELECTION_5:
- ParentCommandLine: '* /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*'
- SELECTION_6:
- ParentCommandLine: '* /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}*'
- SELECTION_7:
- ParentCommandLine: '* /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}*'
- SELECTION_8:
- ParentCommandLine: '* /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}*'
- SELECTION_9:
- ParentCommandLine: '* /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}*'
- condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4) and (SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
-falsepositives:
-- Legitimate CMSTP use (unlikely in modern enterprise environments)
-fields:
-- CommandLine
-- ParentCommandLine
-- Hashes
-id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2019/07/31
-references:
-- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
-- https://twitter.com/hFireF0X/status/897640081053364225
-- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
-- https://github.com/hfiref0x/UACME
-status: stable
-tags:
-- attack.execution
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1548.002
-- attack.t1088
-- attack.t1218.003
-- attack.t1191
-- attack.g0069
-- car.2019-04-001
-yml_filename: win_cmstp_com_object_access.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_cobaltstrike_process_patterns.yml b/rules/alert-rules/sigma/win_cobaltstrike_process_patterns.yml
deleted file mode 100644
index 986b8f81..00000000
--- a/rules/alert-rules/sigma/win_cobaltstrike_process_patterns.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-title: CobaltStrike Process Patterns
-author: Florian Roth
-date: 2021/07/27
-description: Detects process patterns found in Cobalt Strike beacon activity (see
- reference for more details)
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*\whoami.exe*'
- SELECTION_11:
- ParentImage: '*\dllhost.exe'
- SELECTION_12:
- Image: '*\cmd.exe'
- SELECTION_13:
- ParentImage: '*\runonce.exe'
- SELECTION_14:
- ParentCommandLine: '*\runonce.exe'
- SELECTION_2:
- CommandLine: '*\cmd.exe /C whoami*'
- SELECTION_3:
- ParentImage: C:\Temp*
- SELECTION_4:
- CommandLine: '*conhost.exe 0xffffffff -ForceV1*'
- SELECTION_5:
- ParentCommandLine: '*/C whoami*'
- SELECTION_6:
- ParentCommandLine: '*cmd.exe /C echo*'
- SELECTION_7:
- ParentCommandLine: '* > \\.\pipe*'
- SELECTION_8:
- CommandLine: '*cmd.exe /c echo*'
- SELECTION_9:
- CommandLine: '*> \\.\pipe*'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
- (SELECTION_5 or SELECTION_6 or SELECTION_7)) or ((SELECTION_8 or SELECTION_9
- or SELECTION_10) and SELECTION_11) or (SELECTION_12 and SELECTION_13 and SELECTION_14)))
-falsepositives:
-- Other programs that cause these patterns (please report)
-id: f35c5d71-b489-4e22-a115-f003df287317
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2021/08/30
-references:
-- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
-- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
-status: experimental
-tags:
-- attack.execution
-yml_filename: win_cobaltstrike_process_patterns.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_cobaltstrike_service_installs.yml b/rules/alert-rules/sigma/win_cobaltstrike_service_installs.yml
deleted file mode 100644
index e3a52c47..00000000
--- a/rules/alert-rules/sigma/win_cobaltstrike_service_installs.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-title: CobaltStrike Service Installations
-author: Florian Roth, Wojciech Lesicki
-date: 2021/05/26
-description: Detects known malicious service installs that appear in cases in which
- a Cobalt Strike beacon elevates privileges or lateral movement
-detection:
- SELECTION_1:
- EventID: 7045
- SELECTION_10:
- ImagePath: '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*'
- SELECTION_2:
- ImagePath: '*ADMIN$*'
- SELECTION_3:
- ImagePath: '*.exe*'
- SELECTION_4:
- ImagePath: '*%COMSPEC%*'
- SELECTION_5:
- ImagePath: '*start*'
- SELECTION_6:
- ImagePath: '*powershell*'
- SELECTION_7:
- ImagePath: '*powershell -nop -w hidden -encodedcommand*'
- SELECTION_8:
- ImagePath: '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*'
- SELECTION_9:
- ImagePath: '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
- SELECTION_5 and SELECTION_6) or SELECTION_7 or (SELECTION_8 or SELECTION_9
- or SELECTION_10)))
-falsepositives:
-- Unknown
-id: 5a105d34-05fc-401e-8553-272b45c1522d
-level: critical
-logsource:
- product: windows
- service: system
-modified: 2021/09/21
-references:
-- https://www.sans.org/webcasts/119395
-- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
-- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
-tags:
-- attack.execution
-- attack.privilege_escalation
-- attack.lateral_movement
-- attack.t1021.002
-- attack.t1543.003
-- attack.t1569.002
-yml_filename: win_cobaltstrike_service_installs.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_commandline_path_traversal.yml b/rules/alert-rules/sigma/win_commandline_path_traversal.yml
deleted file mode 100644
index 059417b8..00000000
--- a/rules/alert-rules/sigma/win_commandline_path_traversal.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Cmd.exe CommandLine Path Traversal
-author: xknow @xknow_infosec
-date: 2020/06/11
-description: detects the usage of path traversal in cmd.exe indicating possible command/argument
- confusion/hijacking
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentCommandLine: '*cmd*'
- SELECTION_3:
- ParentCommandLine: '*/c*'
- SELECTION_4:
- CommandLine: '*/../../*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- (not much) some benign Java tools may product false-positive commandlines for loading
- libraries
-id: 087790e3-3287-436c-bccf-cbd0184a7db1
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
-- https://twitter.com/Oddvarmoe/status/1270633613449723905
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.003
-- attack.t1059
-yml_filename: win_commandline_path_traversal.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_commandline_path_traversal_evasion.yml b/rules/alert-rules/sigma/win_commandline_path_traversal_evasion.yml
deleted file mode 100644
index 7987377d..00000000
--- a/rules/alert-rules/sigma/win_commandline_path_traversal_evasion.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Command Line Path Traversial Evasion
-author: Christian Burkard
-date: 2021/10/26
-description: Detects the attempt to evade or obfuscate the executed command on the
- CommandLine using bogus path traversal
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\Windows\\*'
- SELECTION_3:
- CommandLine: '*\..\Windows\\*'
- SELECTION_4:
- CommandLine: '*\..\System32\\*'
- SELECTION_5:
- CommandLine: '*\..\..\\*'
- SELECTION_6:
- CommandLine: '*.exe\..\\*'
- condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
- or SELECTION_6))
-falsepositives:
-- Unknown
-id: 1327381e-6ab0-4f38-b583-4c1b8346a56b
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://twitter.com/hexacorn/status/1448037865435320323
-- https://twitter.com/Gal_B1t/status/1062971006078345217
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1036
-yml_filename: win_commandline_path_traversal_evasion.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_control_panel_item.yml b/rules/alert-rules/sigma/win_control_panel_item.yml
deleted file mode 100644
index 7d034f6c..00000000
--- a/rules/alert-rules/sigma/win_control_panel_item.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: Control Panel Items
-author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
-date: 2020/06/22
-description: Detects the malicious use of a control panel item
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*.cpl'
- SELECTION_3:
- CommandLine: '*\System32\\*'
- SELECTION_4:
- CommandLine: '*%System%*'
- SELECTION_5:
- Image: '*\reg.exe'
- SELECTION_6:
- CommandLine: '*add*'
- SELECTION_7:
- CommandLine: '*CurrentVersion\\Control Panel\\CPLs*'
- condition: (SELECTION_1 and ((SELECTION_2 and not ((SELECTION_3 or SELECTION_4)))
- or (SELECTION_5 and SELECTION_6 and (SELECTION_7))))
-falsepositives:
-- Unknown
-id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/11/28
-references:
-- https://attack.mitre.org/techniques/T1196/
-- https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
-status: experimental
-tags:
-- attack.execution
-- attack.defense_evasion
-- attack.t1218.002
-- attack.t1196
-- attack.persistence
-- attack.t1546
-yml_filename: win_control_panel_item.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_copying_sensitive_files_with_credential_data.yml b/rules/alert-rules/sigma/win_copying_sensitive_files_with_credential_data.yml
deleted file mode 100644
index f858cfc6..00000000
--- a/rules/alert-rules/sigma/win_copying_sensitive_files_with_credential_data.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-title: Copying Sensitive Files with Credential Data
-author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
-date: 2019/10/22
-description: Files with well-known filenames (sensitive files with credential data)
- copying
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*\repair\sam*'
- SELECTION_11:
- CommandLine: '*\repair\system*'
- SELECTION_12:
- CommandLine: '*\repair\security*'
- SELECTION_13:
- CommandLine: '*\config\RegBack\sam*'
- SELECTION_14:
- CommandLine: '*\config\RegBack\system*'
- SELECTION_15:
- CommandLine: '*\config\RegBack\security*'
- SELECTION_2:
- Image: '*\esentutl.exe'
- SELECTION_3:
- CommandLine: '*vss*'
- SELECTION_4:
- CommandLine: '* /m *'
- SELECTION_5:
- CommandLine: '* /y *'
- SELECTION_6:
- CommandLine: '*\windows\ntds\ntds.dit*'
- SELECTION_7:
- CommandLine: '*\config\sam*'
- SELECTION_8:
- CommandLine: '*\config\security*'
- SELECTION_9:
- CommandLine: '*\config\system *'
- condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
- or (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15)))
-falsepositives:
-- Copying sensitive files for legitimate use (eg. backup) or forensic investigation
- by legitimate incident responder or forensic invetigator
-id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2019/11/13
-references:
-- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
-- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003.002
-- attack.t1003.003
-- attack.t1003
-- car.2013-07-001
-- attack.s0404
-yml_filename: win_copying_sensitive_files_with_credential_data.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_credential_access_via_password_filter.yml b/rules/alert-rules/sigma/win_credential_access_via_password_filter.yml
deleted file mode 100644
index 7515a025..00000000
--- a/rules/alert-rules/sigma/win_credential_access_via_password_filter.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Dropping Of Password Filter DLL
-author: Sreeman
-date: 2020/10/29
-description: Detects dropping of dll files in system32 that may be used to retrieve
- user credentials from LSASS
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*HKLM\SYSTEM\CurrentControlSet\Control\Lsa*'
- SELECTION_3:
- CommandLine: '*scecli\0*'
- SELECTION_4:
- CommandLine: '*reg add*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- unknown
-id: b7966f4a-b333-455b-8370-8ca53c229762
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/06/11
-references:
-- https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
-- https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1174
-- attack.t1556.002
-yml_filename: win_credential_access_via_password_filter.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_crime_fireball.yml b/rules/alert-rules/sigma/win_crime_fireball.yml
deleted file mode 100644
index 846a9165..00000000
--- a/rules/alert-rules/sigma/win_crime_fireball.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Fireball Archer Install
-author: Florian Roth
-date: 2017/06/03
-description: Detects Archer malware invocation via rundll32
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*rundll32.exe*'
- SELECTION_3:
- CommandLine: '*InstallArcherSvc*'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Unknown
-fields:
-- CommandLine
-- ParentCommandLine
-id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/29
-references:
-- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
-- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
-status: experimental
-tags:
-- attack.execution
-- attack.defense_evasion
-- attack.t1218.011
-- attack.t1085
-yml_filename: win_crime_fireball.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_crime_maze_ransomware.yml b/rules/alert-rules/sigma/win_crime_maze_ransomware.yml
deleted file mode 100644
index 069902be..00000000
--- a/rules/alert-rules/sigma/win_crime_maze_ransomware.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-title: Maze Ransomware
-author: Florian Roth
-date: 2020/05/08
-description: Detects specific process characteristics of Maze ransomware word document
- droppers
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*\WINWORD.exe'
- SELECTION_3:
- Image: '*.tmp'
- SELECTION_4:
- Image: '*\wmic.exe'
- SELECTION_5:
- ParentImage: '*\Temp\\*'
- SELECTION_6:
- CommandLine: '*shadowcopy delete'
- SELECTION_7:
- CommandLine: '*shadowcopy delete'
- SELECTION_8:
- CommandLine: '*\..\..\system32*'
- condition: (SELECTION_1 and (((SELECTION_2) and (SELECTION_3)) or (SELECTION_4
- and SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8)))
-falsepositives:
-- Unlikely
-fields:
-- ComputerName
-- User
-- Image
-id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2021/06/27
-references:
-- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
-- https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
-- https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
-status: experimental
-tags:
-- attack.execution
-- attack.t1204.002
-- attack.t1204
-- attack.t1047
-- attack.impact
-- attack.t1490
-yml_filename: win_crime_maze_ransomware.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_crime_snatch_ransomware.yml b/rules/alert-rules/sigma/win_crime_snatch_ransomware.yml
deleted file mode 100644
index 40e2c9ff..00000000
--- a/rules/alert-rules/sigma/win_crime_snatch_ransomware.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Snatch Ransomware
-author: Florian Roth
-date: 2020/08/26
-description: Detects specific process characteristics of Snatch ransomware word document
- droppers
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*shutdown /r /f /t 00*'
- SELECTION_3:
- CommandLine: '*net stop SuperBackupMan*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
-fields:
-- ComputerName
-- User
-- Image
-id: 5325945e-f1f0-406e-97b8-65104d393fff
-level: critical
-logsource:
- category: process_creation
- product: windows
-references:
-- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
-status: experimental
-tags:
-- attack.execution
-- attack.t1204
-yml_filename: win_crime_snatch_ransomware.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_crypto_mining_monero.yml b/rules/alert-rules/sigma/win_crypto_mining_monero.yml
deleted file mode 100644
index a2818862..00000000
--- a/rules/alert-rules/sigma/win_crypto_mining_monero.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-title: Windows Crypto Mining Indicators
-author: Florian Roth
-date: 2021/10/26
-description: Detects command line parameters or strings often used by crypto miners
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*0tZG9uYXRlLWxldmVsP*'
- SELECTION_11:
- CommandLine: '*tLWRvbmF0ZS1sZXZlbD*'
- SELECTION_12:
- CommandLine: '*c3RyYXR1bSt0Y3A6Ly*'
- SELECTION_13:
- CommandLine: '*N0cmF0dW0rdGNwOi8v*'
- SELECTION_14:
- CommandLine: '*zdHJhdHVtK3RjcDovL*'
- SELECTION_15:
- CommandLine: '*c3RyYXR1bSt1ZHA6Ly*'
- SELECTION_16:
- CommandLine: '*N0cmF0dW0rdWRwOi8v*'
- SELECTION_17:
- CommandLine: '*zdHJhdHVtK3VkcDovL*'
- SELECTION_2:
- CommandLine: '* --cpu-priority=*'
- SELECTION_3:
- CommandLine: '*--donate-level=0*'
- SELECTION_4:
- CommandLine: '* -o pool.*'
- SELECTION_5:
- CommandLine: '* --nicehash*'
- SELECTION_6:
- CommandLine: '* --algo=rx/0 *'
- SELECTION_7:
- CommandLine: '*stratum+tcp://*'
- SELECTION_8:
- CommandLine: '*stratum+udp://*'
- SELECTION_9:
- CommandLine: '*LS1kb25hdGUtbGV2ZWw9*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
- or SELECTION_16 or SELECTION_17))
-falsepositives:
-- Legitimate use of crypto miners
-id: 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://www.poolwatch.io/coin/monero
-status: stable
-yml_filename: win_crypto_mining_monero.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_cve_2021_1675_printspooler.yml b/rules/alert-rules/sigma/win_cve_2021_1675_printspooler.yml
deleted file mode 100644
index 43de7412..00000000
--- a/rules/alert-rules/sigma/win_cve_2021_1675_printspooler.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
-author: Florian Roth
-date: 2021/06/29
-description: Detects the default filename used in PoC code against print spooler vulnerability
- CVE-2021-1675
-detection:
- SELECTION_1:
- EventID: 11
- SELECTION_2:
- TargetFilename: '*C:\Windows\System32\spool\drivers\x64\3\old\1\123*'
- SELECTION_3:
- TargetFilename: '*C:\Windows\System32\spool\drivers\x64\3\New\\*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- TargetFilename
-id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
-level: critical
-logsource:
- category: file_event
- product: windows
-modified: 2021/07/01
-references:
-- https://github.com/hhlxf/PrintNightmare
-- https://github.com/afwu/PrintNightmare
-- https://github.com/cube0x0/CVE-2021-1675
-status: experimental
-tags:
-- attack.execution
-- attack.privilege_escalation
-- cve.2021.1675
-yml_filename: win_cve_2021_1675_printspooler.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
-
diff --git a/rules/alert-rules/sigma/win_cve_2021_1675_printspooler_del.yml b/rules/alert-rules/sigma/win_cve_2021_1675_printspooler_del.yml
deleted file mode 100644
index 52f770f6..00000000
--- a/rules/alert-rules/sigma/win_cve_2021_1675_printspooler_del.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Windows Spooler Service Suspicious File Deletion
-author: Bhabesh Raj
-date: 2021/07/01
-description: Detect DLL deletions from Spooler Service driver folder
-detection:
- SELECTION_1:
- EventID: 23
- SELECTION_2:
- EventID: 26
- SELECTION_3:
- Image: '*spoolsv.exe'
- SELECTION_4:
- TargetFilename: '*C:\Windows\System32\spool\drivers\x64\3\\*'
- condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
-level: high
-logsource:
- category: file_delete
- product: windows
-modified: 2021/08/24
-references:
-- https://github.com/hhlxf/PrintNightmare
-- https://github.com/cube0x0/CVE-2021-1675
-status: experimental
-tags:
-- attack.persistence
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1574
-- cve.2021.1675
-yml_filename: win_cve_2021_1675_printspooler_del.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_delete
-
diff --git a/rules/alert-rules/sigma/win_data_compressed_with_rar.yml b/rules/alert-rules/sigma/win_data_compressed_with_rar.yml
deleted file mode 100644
index 481264e6..00000000
--- a/rules/alert-rules/sigma/win_data_compressed_with_rar.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Data Compressed - rar.exe
-author: Timur Zinniatullin, E.M. Anhaus, oscd.community
-date: 2019/10/21
-description: An adversary may compress data (e.g., sensitive documents) that is collected
- prior to exfiltration in order to make it portable and minimize the amount of
- data sent over the network.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\rar.exe'
- SELECTION_3:
- CommandLine: '* a *'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Highly likely if rar is a default archiver in the monitored environment.
-fields:
-- Image
-- CommandLine
-- User
-- LogonGuid
-- Hashes
-- ParentProcessGuid
-- ParentCommandLine
-id: 6f3e2987-db24-4c78-a860-b4f4095a7095
-level: low
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/29
-references:
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
-- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
-status: experimental
-tags:
-- attack.exfiltration
-- attack.t1002
-- attack.collection
-- attack.t1560.001
-yml_filename: win_data_compressed_with_rar.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/alert-rules/sigma/win_dce_rpc_smb_spoolss_named_pipe.yml
deleted file mode 100644
index bc2091be..00000000
--- a/rules/alert-rules/sigma/win_dce_rpc_smb_spoolss_named_pipe.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: DCERPC SMB Spoolss Named Pipe
-author: OTR (Open Threat Research)
-date: 2018/11/28
-description: Detects the use of the spoolss named pipe over SMB. This can be used
- to trigger the authentication via NTLM of any machine that has the spoolservice
- enabled.
-detection:
- SELECTION_1:
- EventID: 5145
- SELECTION_2:
- ShareName: \\*\IPC$
- SELECTION_3:
- RelativeTargetName: spoolss
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
-- Domain Controllers acting as printer servers too? :)
-id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
-level: medium
-logsource:
- product: windows
- service: security
-references:
-- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
-- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
-- https://twitter.com/_dirkjan/status/1309214379003588608
-status: experimental
-tags:
-- attack.lateral_movement
-- attack.t1021.002
-yml_filename: win_dce_rpc_smb_spoolss_named_pipe.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_dcom_iertutil_dll_hijack.yml b/rules/alert-rules/sigma/win_dcom_iertutil_dll_hijack.yml
deleted file mode 100644
index d1ffffd1..00000000
--- a/rules/alert-rules/sigma/win_dcom_iertutil_dll_hijack.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
-author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
-date: 2020/10/12
-description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program
- Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer
- DLL Hijack scenario.
-detection:
- SELECTION_1:
- EventID: 5145
- SELECTION_2:
- RelativeTargetName: '*\Internet Explorer\iertutil.dll'
- SELECTION_3:
- SubjectUserName: '*$'
- condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
-falsepositives:
-- Unknown
-id: c39f0c81-7348-4965-ab27-2fde35a1b641
-level: critical
-logsource:
- product: windows
- service: security
-references:
-- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
-status: experimental
-tags:
-- attack.lateral_movement
-- attack.t1021.002
-- attack.t1021.003
-yml_filename: win_dcom_iertutil_dll_hijack.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_dcsync.yml b/rules/alert-rules/sigma/win_dcsync.yml
deleted file mode 100644
index bf388fb9..00000000
--- a/rules/alert-rules/sigma/win_dcsync.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Mimikatz DC Sync
-author: Benjamin Delpy, Florian Roth, Scott Dermott
-date: 2018/06/03
-description: Detects Mimikatz DC sync security events
-detection:
- SELECTION_1:
- EventID: 4662
- SELECTION_2:
- Properties: '*Replicating Directory Changes All*'
- SELECTION_3:
- Properties: '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- SELECTION_4:
- SubjectDomainName: Window Manager
- SELECTION_5:
- SubjectUserName: NT AUTHORITY*
- SELECTION_6:
- SubjectUserName: MSOL_*
- SELECTION_7:
- SubjectUserName: '*$'
- condition: ((((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and not (SELECTION_4))
- and not ((SELECTION_5 or SELECTION_6))) and not (SELECTION_7))
-falsepositives:
-- Valid DC Sync that is not covered by the filters; please report
-- Local Domain Admin account used for Azure AD Connect
-id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
-level: high
-logsource:
- product: windows
- service: security
-modified: 2021/08/09
-references:
-- https://twitter.com/gentilkiwi/status/1003236624925413376
-- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
-status: experimental
-tags:
-- attack.credential_access
-- attack.s0002
-- attack.t1003
-- attack.t1003.006
-yml_filename: win_dcsync.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_defender_amsi_trigger.yml b/rules/alert-rules/sigma/win_defender_amsi_trigger.yml
deleted file mode 100644
index abc9cd76..00000000
--- a/rules/alert-rules/sigma/win_defender_amsi_trigger.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Windows Defender AMSI Trigger Detected
-author: Bhabesh Raj
-date: 2020/09/14
-description: Detects triggering of AMSI by Windows Defender.
-detection:
- SELECTION_1:
- EventID: 1116
- SELECTION_2:
- Source_Name: AMSI
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unlikely
-id: ea9bf0fa-edec-4fb8-8b78-b119f2528186
-level: high
-logsource:
- product: windows
- service: windefend
-modified: 2021/10/13
-references:
-- https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
-status: stable
-tags:
-- attack.execution
-- attack.t1059
-yml_filename: win_defender_amsi_trigger.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
-
diff --git a/rules/alert-rules/sigma/win_defender_bypass.yml b/rules/alert-rules/sigma/win_defender_bypass.yml
deleted file mode 100644
index 19c6923b..00000000
--- a/rules/alert-rules/sigma/win_defender_bypass.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Windows Defender Exclusion Set
-author: '@BarryShooshooga'
-date: 2019/10/26
-description: Detects scenarios where an windows defender exclusion was added in registry
- where an entity would want to bypass antivirus scanning from windows defender
-detection:
- SELECTION_1:
- EventID: 4657
- SELECTION_2:
- EventID: 4656
- SELECTION_3:
- EventID: 4660
- SELECTION_4:
- EventID: 4663
- SELECTION_5:
- ObjectName: '*\Microsoft\Windows Defender\Exclusions\\*'
- condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
-falsepositives:
-- Intended inclusions by administrator
-id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
-level: high
-logsource:
- definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit
- Policy, Registry System Access Control (SACL): Auditing/User'
- product: windows
- service: security
-references:
-- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
-tags:
-- attack.defense_evasion
-- attack.t1089
-- attack.t1562.001
-yml_filename: win_defender_bypass.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
-
diff --git a/rules/alert-rules/sigma/win_defender_disabled.yml b/rules/alert-rules/sigma/win_defender_disabled.yml
deleted file mode 100644
index 3baa51e3..00000000
--- a/rules/alert-rules/sigma/win_defender_disabled.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Windows Defender Threat Detection Disabled
-author: "J\xE1n Tren\u010Dansk\xFD, frack113"
-date: 2020/07/28
-description: Detects disabling Windows Defender threat protection
-detection:
- SELECTION_1:
- EventID: 5001
- SELECTION_2:
- EventID: 5010
- SELECTION_3:
- EventID: 5012
- SELECTION_4:
- EventID: 5101
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
-falsepositives:
-- Administrator actions
-id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
-level: high
-logsource:
- product: windows
- service: windefend
-modified: 2021/09/21
-references:
-- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
-status: stable
-tags:
-- attack.defense_evasion
-- attack.t1089
-- attack.t1562.001
-yml_filename: win_defender_disabled.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
-
diff --git a/rules/alert-rules/sigma/win_defender_exclusions.yml b/rules/alert-rules/sigma/win_defender_exclusions.yml
deleted file mode 100644
index 6d7046aa..00000000
--- a/rules/alert-rules/sigma/win_defender_exclusions.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Windows Defender Exclusions Added
-author: Christian Burkard
-date: 2021/07/06
-description: Detects the Setting of Windows Defender Exclusions
-detection:
- SELECTION_1:
- EventID: 5007
- SELECTION_2:
- New_Value: '*\Microsoft\Windows Defender\Exclusions*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Administrator actions
-id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
-level: medium
-logsource:
- product: windows
- service: windefend
-modified: 2021/10/13
-references:
-- https://twitter.com/_nullbind/status/1204923340810543109
-status: stable
-tags:
-- attack.defense_evasion
-- attack.t1089
-- attack.t1562.001
-yml_filename: win_defender_exclusions.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
-
diff --git a/rules/alert-rules/sigma/win_defender_history_delete.yml b/rules/alert-rules/sigma/win_defender_history_delete.yml
deleted file mode 100644
index 0a59b493..00000000
--- a/rules/alert-rules/sigma/win_defender_history_delete.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Windows Defender Malware Detection History Deletion
-author: Cian Heasley
-date: 2020/08/13
-description: Windows Defender logs when the history of detected infections is deleted.
- Log file will contain the message "Windows Defender Antivirus has removed history
- of malware and other potentially unwanted software".
-detection:
- SELECTION_1:
- EventID: 1013
- SELECTION_2:
- EventType: 4
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Deletion of Defender malware detections history for legitimate reasons
-fields:
-- EventID
-- EventType
-id: 2afe6582-e149-11ea-87d0-0242ac130003
-level: high
-logsource:
- product: windows
- service: windefend
-modified: 2021/05/30
-references:
-- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1070.001
-yml_filename: win_defender_history_delete.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
-
diff --git a/rules/alert-rules/sigma/win_defender_psexec_wmi_asr.yml b/rules/alert-rules/sigma/win_defender_psexec_wmi_asr.yml
deleted file mode 100644
index a8178e3b..00000000
--- a/rules/alert-rules/sigma/win_defender_psexec_wmi_asr.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: PSExec and WMI Process Creations Block
-author: Bhabesh Raj
-date: 2020/07/14
-description: Detects blocking of process creations originating from PSExec and WMI
- commands
-detection:
- SELECTION_1:
- EventID: 1121
- SELECTION_2:
- ProcessName: '*\wmiprvse.exe'
- SELECTION_3:
- ProcessName: '*\psexesvc.exe'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Unknown
-id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
-level: high
-logsource:
- definition: 'Requirements:Enabled Block process creations originating from PSExec
- and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
- product: windows_defender
-references:
-- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands
-- https://twitter.com/duff22b/status/1280166329660497920
-status: experimental
-tags:
-- attack.execution
-- attack.lateral_movement
-- attack.t1047
-- attack.t1035
-- attack.t1569.002
-yml_filename: win_defender_psexec_wmi_asr.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
-
diff --git a/rules/alert-rules/sigma/win_defender_tamper_protection_trigger.yml b/rules/alert-rules/sigma/win_defender_tamper_protection_trigger.yml
deleted file mode 100644
index 32dae926..00000000
--- a/rules/alert-rules/sigma/win_defender_tamper_protection_trigger.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Microsoft Defender Tamper Protection Trigger
-author: Bhabesh Raj
-date: 2021/07/05
-description: Detects block of attempt to disable real time protection of Microsoft
- Defender by tamper protection
-detection:
- SELECTION_1:
- EventID: 5013
- SELECTION_2:
- Value: '*\Windows Defender\DisableAntiSpyware = 0x1()'
- SELECTION_3:
- Value: '*\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
- condition: ((SELECTION_1) and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Administrator actions
-id: 49e5bc24-8b86-49f1-b743-535f332c2856
-level: critical
-logsource:
- product: windows
- service: windefend
-references:
-- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
-status: stable
-tags:
-- attack.defense_evasion
-- attack.t1089
-- attack.t1562.001
-yml_filename: win_defender_tamper_protection_trigger.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
-
diff --git a/rules/alert-rules/sigma/win_defender_threat.yml b/rules/alert-rules/sigma/win_defender_threat.yml
deleted file mode 100644
index e159af0a..00000000
--- a/rules/alert-rules/sigma/win_defender_threat.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Windows Defender Threat Detected
-author: "J\xE1n Tren\u010Dansk\xFD"
-date: 2020/07/28
-description: Detects all actions taken by Windows Defender malware detection engines
-detection:
- SELECTION_1:
- EventID: 1006
- SELECTION_2:
- EventID: 1116
- SELECTION_3:
- EventID: 1015
- SELECTION_4:
- EventID: 1117
- condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
-falsepositives:
-- unlikely
-id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
-level: high
-logsource:
- product: windows
- service: windefend
-references:
-- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
-status: stable
-tags:
-- attack.execution
-- attack.t1059
-yml_filename: win_defender_threat.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
-
diff --git a/rules/alert-rules/sigma/win_detecting_fake_instances_of_hxtsr.yml b/rules/alert-rules/sigma/win_detecting_fake_instances_of_hxtsr.yml
deleted file mode 100644
index 25fe9f8b..00000000
--- a/rules/alert-rules/sigma/win_detecting_fake_instances_of_hxtsr.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Detecting Fake Instances Of Hxtsr.exe
-author: Sreeman
-date: 2020/04/17
-description: HxTsr.exe is a Microsoft compressed executable file called Microsoft
- Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in
- a hidden "WindowsApps" subfolder of "C:\Program Files". Its path includes a version
- number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe".
- Any instances of hxtsr.exe not in this folder may be malware camouflaging itself
- as HxTsr.exe
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: hxtsr.exe
- SELECTION_3:
- CurrentDirectory|re: (?i)c:\\\\program files\\\\windowsapps\\\\microsoft\.windowscommunicationsapps_.*\\\\hxtsr\.exe
- condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
-falsepositives:
-- unknown
-id: 4e762605-34a8-406d-b72e-c1a089313320
-level: medium
-logsource:
- category: process_creation
- product: windows
-modified: 2021/07/07
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1036
-yml_filename: win_detecting_fake_instances_of_hxtsr.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_disable_event_logging.yml b/rules/alert-rules/sigma/win_disable_event_logging.yml
deleted file mode 100644
index ed80d72c..00000000
--- a/rules/alert-rules/sigma/win_disable_event_logging.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Disabling Windows Event Auditing
-author: '@neu5ron'
-date: 2017/11/19
-description: 'Detects scenarios where system auditing (ie: windows event log auditing)
- is disabled. This may be used in a scenario where an entity would want to bypass
- local logging to evade detection when windows event logging is enabled and reviewed.
- Also, it is recommended to turn off "Local Group Policy Object Processing" via
- GPO, which will make sure that Active Directory GPOs take precedence over local/edited
- computer policies via something such as "gpedit.msc". Please note, that disabling
- "Local Group Policy Object Processing" may cause an issue in scenarios of one
- off specific GPO modifications -- however it is recommended to perform these modifications
- in Active Directory anyways.'
-detection:
- SELECTION_1:
- EventID: 4719
- SELECTION_2:
- AuditPolicyChanges: '*%%8448*'
- SELECTION_3:
- AuditPolicyChanges: '*%%8450*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Unknown
-id: 69aeb277-f15f-4d2d-b32a-55e883609563
-level: high
-logsource:
- definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration,
- Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
- Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization
- Policy Change'
- product: windows
- service: security
-references:
-- https://bit.ly/WinLogsZero2Hero
-tags:
-- attack.defense_evasion
-- attack.t1054
-- attack.t1562.002
-yml_filename: win_disable_event_logging.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_dll_sideload_xwizard.yml b/rules/alert-rules/sigma/win_dll_sideload_xwizard.yml
deleted file mode 100644
index 6850abcb..00000000
--- a/rules/alert-rules/sigma/win_dll_sideload_xwizard.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Xwizard DLL Sideloading
-author: Christian Burkard
-date: 2021/09/20
-description: Detects the execution of Xwizard tool from the non-default directory
- which can be used to sideload a custom xwizards.dll
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\xwizard.exe'
- SELECTION_3:
- Image: C:\Windows\System32\\*
- condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
-falsepositives:
-- Windows installed on non-C drive
-id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
-- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1574.002
-yml_filename: win_dll_sideload_xwizard.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_dns_exfiltration_tools_execution.yml b/rules/alert-rules/sigma/win_dns_exfiltration_tools_execution.yml
deleted file mode 100644
index 2305388c..00000000
--- a/rules/alert-rules/sigma/win_dns_exfiltration_tools_execution.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: DNS Exfiltration and Tunneling Tools Execution
-author: Daniil Yugoslavskiy, oscd.community
-date: 2019/10/24
-description: Well-known DNS Exfiltration tools execution
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- Image: '*\iodine.exe'
- SELECTION_3:
- Image: '*\dnscat2*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- "Legitimate usage of iodine or dnscat2 \u2014 DNS Exfiltration tools (unlikely)"
-id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
-level: high
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/29
-status: experimental
-tags:
-- attack.exfiltration
-- attack.t1048.001
-- attack.t1048
-- attack.command_and_control
-- attack.t1071.004
-- attack.t1071
-- attack.t1132.001
-- attack.t1132
-yml_filename: win_dns_exfiltration_tools_execution.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_dnscat2_powershell_implementation.yml b/rules/alert-rules/sigma/win_dnscat2_powershell_implementation.yml
deleted file mode 100644
index 77ecd5c1..00000000
--- a/rules/alert-rules/sigma/win_dnscat2_powershell_implementation.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: DNSCat2 Powershell Implementation Detection Via Process Creation
-author: Cian Heasley
-date: 2020/08/08
-description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries.
- Counting nslookup processes spawned by PowerShell will show hundreds or thousands
- of instances if PS DNSCat2 is active locally.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- ParentImage: '*\powershell.exe'
- SELECTION_3:
- Image: '*\nslookup.exe'
- SELECTION_4:
- CommandLine: '*\nslookup.exe'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)| count(Image)
- by ParentImage > 100
-falsepositives:
-- Other powershell scripts that call nslookup.exe
-fields:
-- Image
-- CommandLine
-- ParentImage
-id: b11d75d6-d7c1-11ea-87d0-0242ac130003
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://github.com/lukebaggett/dnscat2-powershell
-- https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html
-- https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html
-status: experimental
-tags:
-- attack.command_and_control
-- attack.t1071
-- attack.t1071.004
-- attack.t1001.003
-- attack.t1041
-yml_filename: win_dnscat2_powershell_implementation.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_dpapi_domain_backupkey_extraction.yml b/rules/alert-rules/sigma/win_dpapi_domain_backupkey_extraction.yml
deleted file mode 100644
index f10e185a..00000000
--- a/rules/alert-rules/sigma/win_dpapi_domain_backupkey_extraction.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: DPAPI Domain Backup Key Extraction
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/06/20
-description: Detects tools extracting LSA secret DPAPI domain backup key from Domain
- Controllers
-detection:
- SELECTION_1:
- EventID: 4662
- SELECTION_2:
- ObjectType: SecretObject
- SELECTION_3:
- AccessMask: '0x2'
- SELECTION_4:
- ObjectName: BCKUPKEY
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- Unknown
-id: 4ac1f50b-3bd0-4968-902d-868b4647937e
-level: critical
-logsource:
- product: windows
- service: security
-references:
-- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.004
-yml_filename: win_dpapi_domain_backupkey_extraction.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/alert-rules/sigma/win_dpapi_domain_masterkey_backup_attempt.yml
deleted file mode 100644
index 76492e13..00000000
--- a/rules/alert-rules/sigma/win_dpapi_domain_masterkey_backup_attempt.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: DPAPI Domain Master Key Backup Attempt
-author: Roberto Rodriguez @Cyb3rWard0g
-date: 2019/08/10
-description: Detects anyone attempting a backup for the DPAPI Master Key. This events
- gets generated at the source and not the Domain Controller.
-detection:
- SELECTION_1:
- EventID: 4692
- condition: SELECTION_1
-falsepositives:
-- Unknown
-fields:
-- ComputerName
-- SubjectDomainName
-- SubjectUserName
-id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
-level: critical
-logsource:
- product: windows
- service: security
-references:
-- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
-status: experimental
-tags:
-- attack.credential_access
-- attack.t1003
-- attack.t1003.004
-yml_filename: win_dpapi_domain_masterkey_backup_attempt.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_encoded_frombase64string.yml b/rules/alert-rules/sigma/win_encoded_frombase64string.yml
deleted file mode 100644
index 23add9b0..00000000
--- a/rules/alert-rules/sigma/win_encoded_frombase64string.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Encoded FromBase64String
-author: Florian Roth
-date: 2019/08/24
-description: Detects a base64 encoded FromBase64String keyword in a process command
- line
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*OjpGcm9tQmFzZTY0U3RyaW5n*'
- SELECTION_3:
- CommandLine: '*o6RnJvbUJhc2U2NFN0cmluZ*'
- SELECTION_4:
- CommandLine: '*6OkZyb21CYXNlNjRTdHJpbm*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
-falsepositives:
-- unknown
-fields:
-- CommandLine
-- ParentCommandLine
-id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
-level: critical
-logsource:
- category: process_creation
- product: windows
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1140
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: win_encoded_frombase64string.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_encoded_iex.yml b/rules/alert-rules/sigma/win_encoded_iex.yml
deleted file mode 100644
index 57a79a4b..00000000
--- a/rules/alert-rules/sigma/win_encoded_iex.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-title: Encoded IEX
-author: Florian Roth
-date: 2019/08/23
-description: Detects a base64 encoded IEX command string in a process command line
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*pZXggKE5ld*'
- SELECTION_11:
- CommandLine: '*SUVYIChOZX*'
- SELECTION_12:
- CommandLine: '*lFWCAoTmV3*'
- SELECTION_13:
- CommandLine: '*JRVggKE5ld*'
- SELECTION_2:
- CommandLine: '*SUVYIChb*'
- SELECTION_3:
- CommandLine: '*lFWCAoW*'
- SELECTION_4:
- CommandLine: '*JRVggKF*'
- SELECTION_5:
- CommandLine: '*aWV4IChb*'
- SELECTION_6:
- CommandLine: '*lleCAoW*'
- SELECTION_7:
- CommandLine: '*pZXggKF*'
- SELECTION_8:
- CommandLine: '*aWV4IChOZX*'
- SELECTION_9:
- CommandLine: '*lleCAoTmV3*'
- condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
- or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
- or SELECTION_11 or SELECTION_12 or SELECTION_13))
-falsepositives:
-- unknown
-fields:
-- CommandLine
-- ParentCommandLine
-id: 88f680b8-070e-402c-ae11-d2914f2257f1
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/29
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-yml_filename: win_encoded_iex.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_etw_modification.yml b/rules/alert-rules/sigma/win_etw_modification.yml
deleted file mode 100644
index 9e26520b..00000000
--- a/rules/alert-rules/sigma/win_etw_modification.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: COMPlus_ETWEnabled Registry Modification
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/06/05
-description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
-detection:
- SELECTION_1:
- EventID: 4657
- SELECTION_2:
- ObjectName: '*\SOFTWARE\Microsoft\.NETFramework'
- SELECTION_3:
- ObjectValueName: ETWEnabled
- SELECTION_4:
- NewValue: '0'
- condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
-- unknown
-id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
-level: critical
-logsource:
- product: windows
- service: security
-references:
-- https://twitter.com/_xpn_/status/1268712093928378368
-- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
-- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
-- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
-- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
-- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
-- https://bunnyinside.com/?term=f71e8cb9c76a
-- http://managed670.rssing.com/chan-5590147/all_p1.html
-- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1112
-yml_filename: win_etw_modification.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_etw_modification_cmdline.yml b/rules/alert-rules/sigma/win_etw_modification_cmdline.yml
deleted file mode 100644
index 1a687362..00000000
--- a/rules/alert-rules/sigma/win_etw_modification_cmdline.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: COMPlus_ETWEnabled Command Line Arguments
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_2:
- CommandLine: '*COMPlus_ETWEnabled=0*'
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unknown
-id: 41421f44-58f9-455d-838a-c398859841d4
-level: critical
-logsource:
- category: process_creation
- product: windows
-modified: 2020/08/29
-references:
-- https://twitter.com/_xpn_/status/1268712093928378368
-- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
-- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
-- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
-- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
-- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
-- https://bunnyinside.com/?term=f71e8cb9c76a
-- http://managed670.rssing.com/chan-5590147/all_p1.html
-- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1562
-yml_filename: win_etw_modification_cmdline.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_etw_trace_evasion.yml b/rules/alert-rules/sigma/win_etw_trace_evasion.yml
deleted file mode 100644
index 63c2e508..00000000
--- a/rules/alert-rules/sigma/win_etw_trace_evasion.yml
+++ /dev/null
@@ -1,73 +0,0 @@
-title: Disable of ETW Trace
-author: '@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community'
-date: 2019/03/22
-description: Detects a command that clears or disables any ETW trace log which could
- indicate a logging evasion.
-detection:
- SELECTION_1:
- EventID: 1
- SELECTION_10:
- CommandLine: '*Remove-EtwTraceProvider*'
- SELECTION_11:
- CommandLine: '*EventLog-Microsoft-Windows-WMI-Activity-Trace*'
- SELECTION_12:
- CommandLine: '*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*'
- SELECTION_13:
- CommandLine: '*Set-EtwTraceProvider*'
- SELECTION_14:
- CommandLine: '*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*'
- SELECTION_15:
- CommandLine: '*EventLog-Microsoft-Windows-WMI-Activity-Trace*'
- SELECTION_16:
- CommandLine: '*0x11*'
- SELECTION_17:
- CommandLine: '*logman*'
- SELECTION_18:
- CommandLine: '*update*'
- SELECTION_19:
- CommandLine: '*trace*'
- SELECTION_2:
- CommandLine: '*cl*'
- SELECTION_20:
- CommandLine: '*--p*'
- SELECTION_21:
- CommandLine: '*-ets*'
- SELECTION_3:
- CommandLine: '*/Trace*'
- SELECTION_4:
- CommandLine: '*clear-log*'
- SELECTION_5:
- CommandLine: '*/Trace*'
- SELECTION_6:
- CommandLine: '*sl*'
- SELECTION_7:
- CommandLine: '*/e:false*'
- SELECTION_8:
- CommandLine: '*set-log*'
- SELECTION_9:
- CommandLine: '*/e:false*'
- condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
- SELECTION_5) or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9)
- or (SELECTION_10 and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14
- and SELECTION_15 and SELECTION_16) or (SELECTION_17 and SELECTION_18 and SELECTION_19
- and SELECTION_20 and SELECTION_21)))
-falsepositives:
-- Unknown
-id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
-level: high
-logsource:
- category: process_creation
- product: windows
-references:
-- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
-- https://abuse.io/lockergoga.txt
-- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
-status: experimental
-tags:
-- attack.defense_evasion
-- attack.t1070
-- attack.t1562.006
-- car.2016-04-002
-yml_filename: win_etw_trace_evasion.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-
diff --git a/rules/alert-rules/sigma/win_event_log_cleared.yml b/rules/alert-rules/sigma/win_event_log_cleared.yml
deleted file mode 100644
index 289fed37..00000000
--- a/rules/alert-rules/sigma/win_event_log_cleared.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Security Event Log Cleared
-author: Saw Winn Naung
-date: 2021/08/15
-description: Checks for event id 1102 which indicates the security event log was cleared.
-detection:
- SELECTION_1:
- EventID: 1102
- SELECTION_2:
- Provider_Name: Microsoft-Windows-Eventlog
- condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- Legitimate administrative activity
-fields:
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SubjectDomainName
-id: a122ac13-daf8-4175-83a2-72c387be339d
-level: medium
-logsource:
- product: windows
- service: security
-modified: 2021/10/13
-references:
-- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
-status: experimental
-tags:
-- attack.t1107
-- attack.t1070.001
-yml_filename: win_event_log_cleared.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-
diff --git a/rules/alert-rules/sigma/win_exchange_proxylogon_oabvirtualdir.yml b/rules/alert-rules/sigma/win_exchange_proxylogon_oabvirtualdir.yml
deleted file mode 100644
index 2412aa6e..00000000
--- a/rules/alert-rules/sigma/win_exchange_proxylogon_oabvirtualdir.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-title: ProxyLogon MSExchange OabVirtualDirectory
-author: Florian Roth
-date: 2021/08/09
-description: Detects specific patterns found after a successful ProxyLogon exploitation
- in relation to a Commandlet invocation of Set-OabVirtualDirectory
-detection:
- condition: ((OabVirtualDirectory and -ExternalUrl ) and (eval(request or http://f/